Skynet Skynet - Router Firewall & Security Enhancements

[^Tripper^]

Update: It's been two days since installing SkyNet and so far everything seems to be running well.

Is there a best practice setup after installing it (for general use) or does simply installing SkyNet take care of all this?

Remember to keep the nuclear launch codes away from it.

 

[viirgon]

I was trying to reinstall Diversion and Skynet from scratch; Diversion went fine but with Skynet, after going through the options, and getting the status Restarting Firewall Service to Complete Installation. and then Done. Nothing happens and it appears installation didnt proceed further. Any advice?

I was reinstalling because the swap file seems to be corrupted. Even though the swap file was not created (I reformated the USB drive), Diversion seems to think there is a swap file present.

The Merlin firmware is 384.10_2.

 

[Adamm]

I was trying to reinstall Diversion and Skynet from scratch; Diversion went fine but with Skynet, after going through the options, and getting the status Restarting Firewall Service to Complete Installation. and then Done. Nothing happens and it appears installation didnt proceed further. Any advice?

I just updated the Merlin firmware to 384.10_2 so not sure if it is related to that.

What is the output of;

sh /jffs/scripts/firewall debug info

 

[viirgon]

What is the output of;

sh /jffs/scripts/firewall debug info

sh /jffs/scripts/firewall debug info
########################################################################################
# _____ _ _ __ #
# / ____| | | | / / #
# | (___ | | ___ _ _ __ ___| |_ __ __/ /_ #
# \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \ #
# ____) | <| |_| | | | | __/ |_ \ V /| (_) | #
# |_____/|_|\_\\__, |_| |_|\___|\__| \_/ \___/ #
# __/ | #
# |___/ #
# #
## - 27/03/2019 - Asus Firewall Addition By Adamm v6.8.4 #
## https://github.com/Adamm00/IPSet_ASUS #
########################################################################################

Router Model; RT-AC86U
Skynet Version; (27/03/2019) (d44e095d7dbcf1946be09ced53b4367f)
iptables v1.4.15 - (eth0 @ 192.168.50.1)
ipset v6.32, protocol version: 6
IP Address; (60.225.50.217)
FW Version; 384.10_2 (Apr 3 2019) (4.1.27)
Install Dir; /tmp/mnt/DIVERSION/skynet (1.8G / 1.9G Space Available)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/DIVERSION/skynet
Uptime; 0 days, 0 hours, 50 minutes.
Ram Available; (130M / 430M)

-------------------- | ----------
| Test Description | | | Result |
-------------------- | ----------

Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
SWAP | [Failed]
Cron Jobs | [Failed]
IPSet Comment Support | [Passed]
Log Level 5 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
Inbound Filter Rules | [Failed]
Inbound Debug Rules | [Failed]
Outbound Filter Rules | [Failed]
Outbound Debug Rules | [Failed]
Whitelist IPSet | [Failed]
BlockedRanges IPSet | [Failed]
Blacklist IPSet | [Failed]
Skynet IPSet | [Failed]
Diversion Plus Content | [Failed]


----------- | ----------
| Setting | | | Status |
---------- | ----------

Autoupdate | [Enabled]
Auto-Banmalware Update | [Enabled]
Debug Mode | [Enabled]
Filter Traffic | [Enabled]
Unban PrivateIP | [Enabled]
Log Invalid | [Disabled]
Ban AiProtect | [Enabled]
Secure Mode | [Enabled]
Fast Switch | [Disabled]
Syslog Location | [Default]
IOT Blocking | [Disabled]
Country Lookup For Stats | [Disabled]

7/18 Tests Sucessful

 

[Adamm]

sh /jffs/scripts/firewall debug info
########################################################################################
# _____ _ _ __ #
# / ____| | | | / / #
# | (___ | | ___ _ _ __ ___| |_ __ __/ /_ #
# \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \ #
# ____) | <| |_| | | | | __/ |_ \ V /| (_) | #
# |_____/|_|\_\\__, |_| |_|\___|\__| \_/ \___/ #
# __/ | #
# |___/ #
# #
## - 27/03/2019 - Asus Firewall Addition By Adamm v6.8.4 #
## https://github.com/Adamm00/IPSet_ASUS #
########################################################################################

Router Model; RT-AC86U
Skynet Version; (27/03/2019) (d44e095d7dbcf1946be09ced53b4367f)
iptables v1.4.15 - (eth0 @ 192.168.50.1)
ipset v6.32, protocol version: 6
IP Address; (60.225.50.217)
FW Version; 384.10_2 (Apr 3 2019) (4.1.27)
Install Dir; /tmp/mnt/DIVERSION/skynet (1.8G / 1.9G Space Available)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/DIVERSION/skynet
Uptime; 0 days, 0 hours, 50 minutes.
Ram Available; (130M / 430M)

-------------------- | ----------
| Test Description | | | Result |
-------------------- | ----------

Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
SWAP | [Failed]
Cron Jobs | [Failed]
IPSet Comment Support | [Passed]
Log Level 5 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
Inbound Filter Rules | [Failed]
Inbound Debug Rules | [Failed]
Outbound Filter Rules | [Failed]
Outbound Debug Rules | [Failed]
Whitelist IPSet | [Failed]
BlockedRanges IPSet | [Failed]
Blacklist IPSet | [Failed]
Skynet IPSet | [Failed]
Diversion Plus Content | [Failed]


----------- | ----------
| Setting | | | Status |
---------- | ----------

Autoupdate | [Enabled]
Auto-Banmalware Update | [Enabled]
Debug Mode | [Enabled]
Filter Traffic | [Enabled]
Unban PrivateIP | [Enabled]
Log Invalid | [Disabled]
Ban AiProtect | [Enabled]
Secure Mode | [Enabled]
Fast Switch | [Disabled]
Syslog Location | [Default]
IOT Blocking | [Disabled]
Country Lookup For Stats | [Disabled]

7/18 Tests Sucessful

Try running the install command again, it should correct the issues your facing and generate a new swap file.

 

[viirgon]

I did that but no difference.

 

[Adamm]

I did that but no difference.

Can you please give me the output from the installer and anything relevant in the syslog.

 

[viirgon]

output from install is as before. What I could extract from syslog that seems relevant:

Apr 7 13:27:32 Skynet: [*] Skynet Requires A SWAP File - Install One By Running ( /jffs
/scripts/firewall debug swap install )
Apr 7 13:28:04 kernel: DROP IN=eth0 OUT= MAC=4c:ed:fb:90:c0:e8:8a:e0:f3:f3:80:26:08:00
SRC=142.93.62.44 DST=60.225.50.217 LEN=57 TOS=0x00 PREC=0x00 TTL=240 ID=54321 PROTO=UDP
SPT=39173 DPT=53413 LEN=37 MARK=0x8000000

 

[Adamm]

output from install is as before. What I could extract from syslog that seems relevant:

Apr 7 13:27:32 Skynet: [*] Skynet Requires A SWAP File - Install One By Running ( /jffs
/scripts/firewall debug swap install )
Apr 7 13:28:04 kernel: DROP IN=eth0 OUT= MAC=4c:ed:fb:90:c0:e8:8a:e0:f3:f3:80:26:08:00
SRC=142.93.62.44 DST=60.225.50.217 LEN=57 TOS=0x00 PREC=0x00 TTL=240 ID=54321 PROTO=UDP
SPT=39173 DPT=53413 LEN=37 MARK=0x8000000

There we go, the problem is with your swap file. Run the command specified above;

sh /jffs/scripts/firewall debug swap install

 

[viirgon]

so I uninstall SkyNet which gives me the option to uninstall the swap file (which didnt exist!) and reinstalling it gives me the option again to create the swap file, which resolves the issues. Thanks for your help!

 

[Adamm]

when I run the recommended script, I got this: Command Not Recognized, Please Try Again

That indicates a typo, make sure you are copy and pasting the command exactly as it is in my post.

sh /jffs/scripts/firewall debug swap install

 

[L&LD]

I have seen this in my syslog on the RT-AC86U and wondering if Skynet is working properly?

Part of the output:

Apr  8 19:18:41 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=185.156.177.94 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=48478 PROTO=TCP SPT=55990 DPT=1984 SEQ=2135255105 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr  8 19:19:00 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=80.82.70.216 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=41238 PROTO=TCP SPT=42539 DPT=25868 SEQ=2296649413 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr

Should these messages be showing up if Skynet is blocking them properly?

Am I being too paranoid?

Or is Skynet simply passing these on to the syslog?

 

[dave14305]

I have seen this in my syslog on the RT-AC86U and wondering if Skynet is working properly?

Part of the output:

Apr  8 19:18:41 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=185.156.177.94 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=48478 PROTO=TCP SPT=55990 DPT=1984 SEQ=2135255105 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr  8 19:19:00 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=80.82.70.216 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=41238 PROTO=TCP SPT=42539 DPT=25868 SEQ=2296649413 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr

Should these messages be showing up if Skynet is blocking them properly?

Am I being too paranoid?

Or is Skynet simply passing these on to the syslog?

That would be normal syslog output if debugmode is enabled.

 

[Butterfly Bones]

I have seen this in my syslog on the RT-AC86U and wondering if Skynet is working properly?

Part of the output:

Apr  8 19:18:41 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=185.156.177.94 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=48478 PROTO=TCP SPT=55990 DPT=1984 SEQ=2135255105 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr  8 19:19:00 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=80.82.70.216 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=41238 PROTO=TCP SPT=42539 DPT=25868 SEQ=2296649413 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr

Should these messages be showing up if Skynet is blocking them properly?

Am I being too paranoid?

Or is Skynet simply passing these on to the syslog?

Yes, if you have Debug Mode enabled (Settings 11 > 3) they will show OR just add a filter to syslog-ng to clean them out. I think someone has already posted one to copy and paste.

 

[cmkelley]

Yes, if you have Debug Mode enabled (Settings 11 > 3) they will show OR just add a filter to syslog-ng to clean them out. I think someone has already posted one to copy and paste.

There's one installed in /opt/share/syslog-ng/examples that can just be copied directly to /opt/etc/syslog-ng.d. Ditto for a logrotate file, just substitute logrotate for syslog-ng in the directories. (if you've installed scribe, that is)

 

[elorimer]

@Adamm, I'm not sure if this is something that can be adjusted, but I'm rassling with a collision between the iptables logging and syslog-ng.

Specifically, iptables is logging through the kernel log at /proc/kmsg (I'm thinking about the BLOCKED and DROP messages). Syslogd picks those up just fine. Syslog-ng picks up some of them cleanly, and others it mangles, generating fragments of messages, sometimes repeating sequences. @Cam notices that the syslog-ng boffins specifically warn of a collision when the kernel and syslog-ng both might be accessing /proc/kmsg, although I'm not sure that is exactly what is going on. It is not in how syslog-ng is massaging the messages, it is how it receives the raw input, so it might be that.

Is there a way of having the debug messaging go through a different process?

 

[Undesirable]

Found a "thing". If the disk label somehow has brackets automatically added to it at some random time post installation, e.g. "RouterHDD(1)" (I didn't change it at any point myself) then the script obviously isn't aware of that and can't find the HDD. Then if I run the firewall script it kicks me out with:

/jffs/scripts/firewall: eval: line 1: syntax error: unexpected "("

So I had to CLI uninstall it and reinstall it.

Just wondered if there was any way to reference the drive in the script other than disk label.

 

[Adamm]

Is there a way of having the debug messaging go through a different process?

Not that I know of, we use the standard IPTables logging.

Found a "thing". If the disk label somehow has brackets automatically added to it at some random time post installation, e.g. "RouterHDD(1)" (I didn't change it at any point myself) then the script obviously isn't aware of that and can't find the HDD. Then if I run the firewall script it kicks me out with:

/jffs/scripts/firewall: eval: line 1: syntax error: unexpected "("

So I had to CLI uninstall it and reinstall it.

Just wondered if there was any way to reference the drive in the script other than disk label.

Skynet adds the path to /jffs/scripts/firewall-start upon installation, mounting issues are unrelated to Skynet. I suggest using amtm and reformatting if this is an ongoing issue.

 

[Poseidon]

Upon checking for an update earlier, I received the following message:

Skynet: [*] Lock File Detected (save) (pid=1282) - Exiting (cpid=3549)

Is this normal or is Skynet not functioning correctly?

Thanks

 

[thelonelycoder]

Upon checking for an update earlier, I received the following message:

Skynet: [*] Lock File Detected (save) (pid=1282) - Exiting (cpid=3549)

Is this normal or is Skynet not functioning correctly?

Thanks

Try again a minute or so later. Skynet performs regular scheduled actions in the background. To prevent interferance by third parties during these operations that message is shown.