What's new

Aegis Aegis (simple yet effective protection)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I am making good progress with version 1.7.0.
Not ready for release yet, as I need to do more testing and adapt then web companion.

When it will be ready, I will first release version 1.6.11 that will allow for anyone wanting to, to beta test the version 1.7.0 (and revert to 1.6.11 if needed).
If all goes ok, after beta phase, I will then release 1.7.0.
 
Hi @HELLO_wORLD ,

Let me start with thanking you for all the good work and frequent updates of aegis! That said, I need to confess I don't use aegis yet, but am following the forum closely.

I'm aiming to install 1.7 on my router when it is released and I have some questions I couldn't find in the Readme / on the forum.

For the common household, what is the benefit compared to the regular r7800 protection? It need be significant looking at the popularity.

Is there the possibility it blocks ip addresses I need? Like work VPN etc?

Is it possible to use it with cron without endware or addon? Would like to keep my R7800 as clean as possible (have rpi running dns/dhcp/vpn, R7800 running voxel firmware only does router stuff).

Appreciated!
 
Hi @HELLO_wORLD ,

Let me start with thanking you for all the good work and frequent updates of aegis! That said, I need to confess I don't use aegis yet, but am following the forum closely.
Thanks!

I'm aiming to install 1.7 on my router when it is released and I have some questions I couldn't find in the Readme / on the forum.

For the common household, what is the benefit compared to the regular r7800 protection? It need be significant looking at the popularity.
The feature aegis offers differs from what is by default on the router.
The protection offered by default is about DDOS, allowing or not ping, and a few basic standard firewall protection.

Aegis allows to block a list of IP addresses.
By default, it includes lists of IPs that should not be found on internet, so if they do, it is likely an attempt to hack, or a device that does not belong on the ISP’s collect network (another customer’s device for example). You don’t want these devices to be able to see your network or communicate with it.
It also includes by default known public IPs used by hackers, spam or malware. Anything coming from these addresses or wanting to send something to them is likely not wanted nor recommended.

Is there the possibility it blocks ip addresses I need? Like work VPN etc?
Yes, the sources list can be changed to get any IP blocklist you want from wherever you want.
Also, you can create your own custom lists of IP addresses to block (blacklists), and you own custom lists of IP to allow (whitelists), if for example you need a specific address or range of addresses to never be blocked (in case they are or would be in a blocking list).

Is it possible to use it with cron without endware or addon?
Short answer: yes.
Not as easy as a crontab should be, as the default crontab can be changed anytime by the firmware, erasing any rule you added, but there are tricks: either hack the firmware crontab (there is one thread about that in this forum) or using the method @kamoj is doing with his addon by simply launching another instance of the cron daemon (the one already in the firmware) with your own crontab.

Would like to keep my R7800 as clean as possible (have rpi running dns/dhcp/vpn, R7800 running voxel firmware only does router stuff).
I totally get that.

Appreciated!
You are welcome!
 
Thanks for the quick and extensive response!

I will wait for v1.7 and probably give it a shot.

Keep on the good work!
 
Hello,
Just used your LOG & TOOLS tab to find an ip I needed to whitelist - thank you!
Aside from telling me the ip i am looking up is blocked, can this tool or another tell me from which blocklist the blocked ip came from?
 
Hello,
Just used your LOG & TOOLS tab to find an ip I needed to whitelist - thank you!
Aside from telling me the ip i am looking up is blocked, can this tool or another tell me from which blocklist the blocked ip came from?

The tool in aegis is not able to tell from which list it is, as they are all merged when downloaded.

You would have to use something like that to test a specific online list (192.168.0.1 being here the ip to test against https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset ) :
Code:
root@HERMES:~$ echo '192.168.0.1' >/tmp/testedip.tmp
root@HERMES:~$ wget -qO- https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset | iprange --common - /tmp/testedip.tmp 
192.168.0.1
root@HERMES:~$ echo $?
0
$? would be 0 if ip is found, 1 if not.

I try to keep aegis as simple and low impact as possible for best performance, and keeping multiple lists makes it more complicated to maintain, check if all is ok, and creates more complexity.
 
The tool in aegis is not able to tell from which list it is, as they are all merged when downloaded.

You would have to use something like that to test a specific online list (192.168.0.1 being here the ip to test against https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset ) :
Code:
root@HERMES:~$ echo '192.168.0.1' >/tmp/testedip.tmp
root@HERMES:~$ wget -qO- https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset | iprange --common - /tmp/testedip.tmp
192.168.0.1
root@HERMES:~$ echo $?
0
$? would be 0 if ip is found, 1 if not.

I try to keep aegis as simple and low impact as possible for best performance, and keeping multiple lists makes it more complicated to maintain, check if all is ok, and creates more complexity.
Thanks, I know I can check each list.
I appreciate the command line iprange check.
So Aegis discards the original blocklist downloads it collects each night and just keeps the merged list?

I ask because I can not find the list which caused aegis to block an IP it was blocking, even using your iprange test.
I don't want to derail the thread, so I just whitelisted the ip address and everything works again.
If you're interested the ip was 23.227.38.65, or myshopify.com.
 
Thanks, I know I can check each list.
I appreciate the command line iprange check.
So Aegis discards the original blocklist downloads it collects each night and just keeps the merged list?
Exactly.
It merges all online lists, optimize and remove comments, etc... into one cached master list.

I ask because I can not find the list which caused aegis to block an IP it was blocking, even using your iprange test.
I don't want to derail the thread, so I just whitelisted the ip address and everything works again.
If you're interested the ip was 23.227.38.65, or myshopify.com.
The online lists are maintained pretty often, some every hour or so. So this ip was at some point in one of the lists, and removed later on (either a false positive, either was only a threat for a short period of time).
This is also why tracking an ip to a specific list (either in the tools or the logs) is tricky. It is doable of course, by saving each list individually, and create as many iptables rules (and ipsets) as there are lists, but it increases complexity and reduces performance, and it is not where I want to go with aegis.
 
Exactly.
It merges all online lists, optimize and remove comments, etc... into one cached master list.


The online lists are maintained pretty often, some every hour or so. So this ip was at some point in one of the lists, and removed later on (either a false positive, either was only a threat for a short period of time).
This is also why tracking an ip to a specific list (either in the tools or the logs) is tricky. It is doable of course, by saving each list individually, and create as many iptables rules (and ipsets) as there are lists, but it increases complexity and reduces performance, and it is not where I want to go with aegis.
Nor would I want you to. Thanks for the system it is.
 
@HELLO_wORLD Many thanks for this useful addon, have been using it for almost 2 weeks and loving it! Can't wait for 1.7.0!

One question, and apologies if it has been mentioned before:

With Aegis we can see blocked inbound/outbound traffic. Is it possible to view the allowed traffic in our R7800 ?

Particularly, I want to monitor to which specific servers my PC is connecting during FIFA21 online gameplay sessions, since i get disconnections either from the game session or from my EA Account completely.
 
Last edited:
@HELLO_wORLD Many thanks for this useful addon, have been using it for almost 2 weeks and loving it! Can't wait for 1.7.0!

One question, and apologies if it has been mentioned before:

With Aegis we can see blocked inbound/outbound traffic. Is it possible to view the allowed traffic in our R7800 ?

Particularly, I want to monitor to which specific servers my PC is connecting during FIFA21 online gameplay sessions, since i get disconnections either from the game session or from my EA Account completely.
aegis does not offer a way to log allowed traffic. This would be a dangerous feature as the logging could create a huge cpu load, particularly softirq as every single packet going through the router would be logged...

That being said, you certainly can create an iptables rule to log anything going out of your PC.
Something like
Code:
iptables -I FORWARD -i br0 -s YOUR-PC-IP -m state --state NEW -j LOG --log-prefix "[PCOUT] "
And then you can get the log using
Code:
grep -F PCOUT /var/log/log-message
Now, be aware that this will catch any new connection coming from your PC, so you should turn everything off using internet on it but the FIFA21.
That should allow you to find the servers your PC is connecting to.
 
Thank you @HELLO_wORLD !

I have to setup this in R7800 right? Installing first iptables from Entware and then running the commands? Won't this create CPU issues in the router?

How can I disable it?

EDIT: Sorry, ok found the way to delete it. During this logging, softirq is running higher but that's ok just for a short time of troubleshooting. Many thanks!
 
Last edited:
Thank you @HELLO_wORLD !

I have to setup this in R7800 right? Installing first iptables from Entware and then running the commands? Won't this create CPU issues in the router?

How can I disable it?
Yes, that setup would be in the R7800.
Now, you could do that from your PC with a software that can listen to traffic (there a plenty I am sure for Windows, but I don't know any, not a Windows expert here). On Mac, there are tools like Little Snitch for that.

For the R7800 way to listen:
No need to install anything with Entware. iptables is already in the firmware.

Do not add this rule in firewall-start.sh script as it would be permanent.
Just type it from the Shell (telnet).
To get rid of it, just type net-wall restart or restart the router.
 
Now, you could do that from your PC with a software that can listen to traffic (there a plenty I am sure for Windows, but I don't know any, not a Windows expert here). On Mac, there are tools like Little Snitch for that.
On Windows, doing a netstat -n from powershell or cmd will show the open networkconnections from and to the pc.

If you open cmd / powershell via "Run as Administrator" then you can also use netstat -nb -> this als shows the process that made the connection.
 
Yes, that setup would be in the R7800.
Now, you could do that from your PC with a software that can listen to traffic (there a plenty I am sure for Windows, but I don't know any, not a Windows expert here). On Mac, there are tools like Little Snitch for that.

For the R7800 way to listen:
No need to install anything with Entware. iptables is already in the firmware.

Do not add this rule in firewall-start.sh script as it would be permanent.
Just type it from the Shell (telnet).
To get rid of it, just type net-wall restart or restart the router.
Many thanks! So any changes I make to iptables does not survive the router reboot?

I also made the same command with -D instead of -I and it removes it as well.

On Windows, doing a netstat -n from powershell or cmd will show the open networkconnections from and to the pc.

If you open cmd / powershell via "Run as Administrator" then you can also use netstat -nb -> this als shows the process that made the connection.
Many thanks, that's another easier workaround :)
 
Many thanks! So any changes I make to iptables does not survive the router reboot?
Exactly. It does not even survive a firewall restart (Net-wall restart).
Only rules written from the firewall-start.sh script are surviving (as they are recreated at each firewall restart).

I also made the same command with -D instead of -I and it removes it as well.
Yes, this is the way to manually delete an iptables rule entry.

Many thanks, that's another easier workaround :)
That is great, and I would start this way.
 
@HELLO_wORLD Thanks for your work.
I've installed your script to the internal memory and have some questions.
Does the script write the log file (when logging is enabled) to NAND flash memory of the router. Does it write any other data to flash when running (with logging disabled).
How should I interpret this data.
Screenshot (204).png

Were all of these connections blocked. Are they from attacking networks/IPs. Aren't they too many for such a short time.
 
Last edited:
@HELLO_wORLD Thanks for your work.
I've installed your script to the internal memory and have some questions.
Does the script write the log file (when logging is enabled) to NAND flash memory of the router. Does it write any other data to flash when running (with logging disabled).
How should I interpret this data.
View attachment 31014
Were all of these connections blocked. Are they from attacking networks/IPs. Aren't they too many for such a short time.
All these entries are blocked connections.

I also get a lot like these. I also get the attached logs on the Logs tab of Netgear under Administration. @HELLO_wORLD Are all these false positives?

I am asking because I get random short Internet interruptions (~5sec) on my devices (PC - Disconnections from Game Servers , MiBoxS - IPTV freezes)
 

Attachments

  • Log.txt
    18.9 KB · Views: 120
Last edited:
@HELLO_wORLD Thanks for your work.
I've installed your script to the internal memory and have some questions.
You are welcome, sure :)

Does the script write the log file (when logging is enabled) to NAND flash memory of the router. Does it write any other data to flash when running (with logging disabled).
No, I avoid writing to NAND as much as possible, and I made a great deal to make the impact on NAND as near to zero as possible (before I even wrote aegis, I lost a R7800 because of a bad NAND, so I got traumatized).
Logging goes strictly to RAM (/var/log/ that is in RAM).
When running, with or without logging, it does not write to NAND.
Exception is when installed in internal memory (your case): when you do change aegis state (from up to down or the reverse), or change the logging state (from enabled to disabled or the reverse), it writes only once its new state in the configuration file that is in /opt/bolemo/etc/config/ therefore in NAND, but it is kind of a one time write, and once aegis is running, it writes nothing at all.
When installed on external drive, it does not write to NAND at all, except what is unavoidable (firewall-start.sh script, symlinks in NAND to directories in external drive...), but even then, it does a minimal change once.

Also, nothing is ever written in the NVRAM from aegis.

How should I interpret this data.
View attachment 31014
Were all of these connections blocked. Are they from attacking networks/IPs. Aren't they too many for such a short time.
Each line is a packet blocked by aegis (incoming in red or outgoing in blue). They all are blocked because they are in the blocklist (and not in whitelist).
Depending on the source lists you are using, there can be some false positive, but it is rare with default lists.
Here, I believe all these connections are unwanted; you would be surprised on how many undesired packets there are, from spam, bots, etc...
You can click on one IP to get more information about it. You can also google those IP and see they are more than often known as bad IPs.
For example, I took one of the IPs from your list: https://www.abuseipdb.com/check/92.63.197.71
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top