Adamm
Part of the Furniture
The WebUI requires firmware v384.15
Skynet Skynet - Router Firewall & Security Enhancements
The WebUI requires firmware v384.15
octopus
Part of the Furniture
Which firmware do you run?
Stevens243
Regular Contributor
It's not resolvable. That feature is in the .15 alpha fw, not in the fw you are using.
Mutzli
Very Senior Member
A new alpha version of 384.15 is coming soon. It will have amtm integrated and supports custom tabs in the routers UI.
TheLyppardMan
Very Senior Member
Thanks for that Adamm (and others too) - at least I know it's not something I have done wrong in the installation process.
Hi,
I'm new on this forum. Found this site in my search for tips and improvements for my new AC-86U router. I bought this router because of the cpu hardware encryption (AES-NI) used by openVPN and it is actually really fast. I installed the merlin firmware as well. My dns is now encrypted with DOT and i installed Diversion for adblocking.
I'm looking forward to see the amtm and skynet integration in the GUI. If skynet and Diversion were not available for this router i would not have bought it (i'm used to work with Openwrt including all the extra packages and customizing). So thanks for making the Merling firmware, skynet and diversion!
Now i spend some time exploring Skynet. If i see the stats it seems to work fine - out of the box -. Unfortunately there is not much information about how to use it. Or at least i cannot find it
For now i have 2 questions. maby they are stupid but i cannot find it.
1) What source(s) are you using for the malware blocklist? Where can i see which ports are blocked by default?
2) What is the idea of IoT blockings? When is a device marked as an IoT device? Should i block IoT devices and then add custom allowed ports? I dont know
I'm new on this forum. Found this site in my search for tips and improvements for my new AC-86U router. I bought this router because of the cpu hardware encryption (AES-NI) used by openVPN and it is actually really fast. I installed the merlin firmware as well. My dns is now encrypted with DOT and i installed Diversion for adblocking.
I'm looking forward to see the amtm and skynet integration in the GUI. If skynet and Diversion were not available for this router i would not have bought it (i'm used to work with Openwrt including all the extra packages and customizing). So thanks for making the Merling firmware, skynet and diversion!
Now i spend some time exploring Skynet. If i see the stats it seems to work fine - out of the box -. Unfortunately there is not much information about how to use it. Or at least i cannot find it
For now i have 2 questions. maby they are stupid but i cannot find it.
1) What source(s) are you using for the malware blocklist? Where can i see which ports are blocked by default?
2) What is the idea of IoT blockings? When is a device marked as an IoT device? Should i block IoT devices and then add custom allowed ports? I dont know
Adamm
Part of the Furniture
If enabled, the default malware blacklists includes the following soruces;
https://github.com/Adamm00/IPSet_ASUS/blob/master/filter.list
The IOT blocking feature allows a user to specify specific devices that can only communicate on certain ports. Say for example you want your IP Cameras to only be accessible locally / via VPN and only allow outside connections to NTP servers for an accurate clock.
dave14305
Part of the Furniture
For the suggestion box or the bit bucket:
Skynet searches /tmp/mnt for conflicting scripts and to locate swap files. In my case, I have my Entware USB attached, plus a spinning hard drive I use with Samba for LAN backups of a personal PC. There are a lot of files and folders on that drive and Skynet can take a while to search this drive (especially if it was idled by the router).
For swap searches, can we limit the search depth to 2 (i.e. assume the swap is at the root of the drive)? For conflicting searches, is it safe yet to assume that Skynet has won the internet and only search during initial install and not during every start-up?
Thanks for not hitting the "Ignore" button on me.
Skynet searches /tmp/mnt for conflicting scripts and to locate swap files. In my case, I have my Entware USB attached, plus a spinning hard drive I use with Samba for LAN backups of a personal PC. There are a lot of files and folders on that drive and Skynet can take a while to search this drive (especially if it was idled by the router).
For swap searches, can we limit the search depth to 2 (i.e. assume the swap is at the root of the drive)? For conflicting searches, is it safe yet to assume that Skynet has won the internet and only search during initial install and not during every start-up?
Code:
# find /tmp/mnt -maxdepth 2 -name "myswap.swp"
/tmp/mnt/apps/myswap.swpThanks for not hitting the "Ignore" button on me.
Adamm
Part of the Furniture
I agree this is a good point, unfortunately the stripped down version of find included in busybox doesn't support the additional flags;
Code:
skynet@RT-AX88U-DC28:/tmp/home/root# busybox find /tmp/mnt -maxdepth 2 -name "myswap.swp"
find: unrecognized: -maxdepth
BusyBox v1.25.1 (2020-01-26 22:50:21 EST) multi-call binary.
Usage: find [-HL] [PATH]... [OPTIONS] [ACTIONS]
Search for files and perform actions on them.
First failed action stops processing of current file.
Defaults: PATH is current directory, action is '-print'
-L,-follow Follow symlinks
-H ...on command line only
Actions:
! ACT Invert ACT's success/failure
ACT1 [-a] ACT2 If ACT1 fails, stop, else do ACT2
ACT1 -o ACT2 If ACT1 succeeds, stop, else do ACT2
Note: -a has higher priority than -o
-name PATTERN Match file name (w/o directory name) to PATTERN
-iname PATTERN Case insensitive -name
-mtime DAYS mtime is greater than (+N), less than (-N),
or exactly N days in the past
If none of the following actions is specified, -print is assumed
-print Print file name
-print0 Print file name, NUL terminated
-exec CMD ARG ; Run CMD with all instances of {} replaced by
file name. Fails if CMD exits with nonzerofwiw this check only happens if the post-mount entry is missing, so in 99% cases this shouldn't be an issue.
Done
Last edited:
dave14305
Part of the Furniture
Diversion installs find-utils from Entware, so I was lulled into thinking I was running the busybox version.
Thanks!
dave14305
Part of the Furniture
Updated and my startup time dropped from about 60 seconds to 24 seconds. It does look like the hits1 and hits2 variables aren't always initialized in time during the startup.
Code:
Jan 27 14:20:05 Skynet: [#] 95654 IPs (+0) -- 1533 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [57s]
Jan 27 18:59:05 Skynet: [#] 95654 IPs (+0) -- 1533 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [59s]
Jan 28 12:01:31 Skynet: [#] 95839 IPs (+0) -- 1563 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [59s]
Jan 28 13:33:08 Skynet: [#] 95839 IPs (+0) -- 1563 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [64s]
Jan 28 13:38:19 Skynet: [#] 95839 IPs (+0) -- 1563 Ranges Banned (+0) || Inbound -- Outbound Connections Blocked! [start] [24s]
Jan 28 13:42:35 Skynet: [#] 95839 IPs (+0) -- 1563 Ranges Banned (+0) || Inbound -- Outbound Connections Blocked! [start] [23s]
Jan 28 13:51:57 Skynet: [#] 95839 IPs (+0) -- 1563 Ranges Banned (+0) || Inbound -- Outbound Connections Blocked! [start] [24s]
Jan 28 14:00:16 Skynet: [#] 95839 IPs (+0) -- 1563 Ranges Banned (+0) || Inbound -- Outbound Connections Blocked! [start] [27s]
Jan 28 14:05:21 Skynet: [#] 95839 IPs (+0) -- 1563 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [30s]
Jan 28 14:11:02 Skynet: [#] 95839 IPs (+0) -- 1563 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [28s]
Jan 28 14:12:31 Skynet: [#] 95839 IPs (+0) -- 1563 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [29s]
Jan 28 14:13:39 Skynet: [#] 95839 IPs (+0) -- 1563 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [28s]
Last edited:
Adamm
Part of the Furniture
Mind sending me a copy of your syslog to investigate.
bengalih
Senior Member
Hey guys. I'm new to Skynet. Been trying to manage my rules manually, but decided to give this a try for country blocks since I do have SSH enabled and been seeing a lot of login attempts (I use key auth only).
I'm having a bit of a learning curve here, some questions to help accelerate me:
1) How do you get a list of what is banned short of looking though the ipsets manually? Once I ban anything other than a country, I don't see those listed. Both listings for what is in the predefined lists and what I've manually added.
2) It doesn't appear that you can actually ban a range of IP, only a subnet? Meaning you have to define in CIDR notation w.x.y.x/24, etc? In IPTABLES I'm able to use "range" to specify an actual range, which is handy when doing an ipwhos to find what block a bad IP belongs in.
3) Where do the blacklists get implemented? I see in the RAW table:
But where are the rules that use Skynet-Blacklist?
EDIT: Never mind I see that this list is nested inside Skynet-Master ipset.
4) Overall I don't see any good documentation for this, as to how it is actually implemented in terms of what specific methodology it uses to block and log. Short of going through the code to try to figure this all out, can someone point me to a resource?
thanks.
I'm having a bit of a learning curve here, some questions to help accelerate me:
1) How do you get a list of what is banned short of looking though the ipsets manually? Once I ban anything other than a country, I don't see those listed. Both listings for what is in the predefined lists and what I've manually added.
2) It doesn't appear that you can actually ban a range of IP, only a subnet? Meaning you have to define in CIDR notation w.x.y.x/24, etc? In IPTABLES I'm able to use "range" to specify an actual range, which is handy when doing an ipwhos to find what block a bad IP belongs in.
3) Where do the blacklists get implemented? I see in the RAW table:
Code:
admin@router-asus:/jffs/scripts# iptables --line -t raw -vnL
Chain PREROUTING (policy ACCEPT 6979 packets, 2786K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- br0 * 0.0.0.0/0 0.0.0.0/0 ! match-set Skynet-Whitelist dst match-set Skynet-Master dst LOG flags 7 level 4 prefix "[BLOC"
2 0 0 DROP all -- br0 * 0.0.0.0/0 0.0.0.0/0 ! match-set Skynet-Whitelist dst match-set Skynet-Master dst
3 576 30051 LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 ! match-set Skynet-Whitelist src match-set Skynet-Master src LOG flags 7 level 4 prefix "[BLOC"
4 576 30051 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 ! match-set Skynet-Whitelist src match-set Skynet-Master src
Chain OUTPUT (policy ACCEPT 1392 packets, 388K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 ! match-set Skynet-Whitelist dst match-set Skynet-Master dst LOG flags 7 level 4 prefix "[BLOC"
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ! match-set Skynet-Whitelist dst match-set Skynet-Master dstBut where are the rules that use Skynet-Blacklist?
EDIT: Never mind I see that this list is nested inside Skynet-Master ipset.
4) Overall I don't see any good documentation for this, as to how it is actually implemented in terms of what specific methodology it uses to block and log. Short of going through the code to try to figure this all out, can someone point me to a resource?
thanks.
Last edited:
Adamm
Part of the Furniture
Code:
( sh /jffs/scripts/firewall stats search manualbans ) Search For All Manual BansWe currently only support CIDR input. You can use something like a CIDR generator if you are unfamiliar.
Skynet-Master is the "parent" table per say so it includes both Skynet-Blacklist and Skynet-BlockedRanges and saves on additional unnecessary IPTables rules.
The short version is, IP's/CIDR's are stored in IPSets for efficiency, we then use IPTables rules in the raw table (which you posted above) to first log any matching entries then block them. As for documentation, your best bet is the readme which includes all the example commands to get an idea of whats possible.
bengalih
Senior Member
Thanks, I've been figuring some stuff out as I go. Few more comments/etc from my few minutes just playing with it:
1)
Code:
Unban comment:
[Comment]:
[$] /opt/bin/firewall unban comment
=============================================================================================================
[*] Comment Field Can't Be Empty - Please Try Again
admin@router-asus:/jffs/scripts#Don't think this error is trapping right..probably shouldn't dump right to command line?
2) Am I correct that you can't *edit* the bans (at least country) you have to wipe them all and then recreate which ones you want? Same for IP or range bans you would need to manually list them with the command line you gave me before then go back in and remove each one manually? IOW, no way to enumerate them and choose what to edit?
Why remove ALL country bans?
3) WebUI shows enabled by default on firmware that doesn't support it. This is on initial install. If you disable and then try to re-enable you get the message the firmware isn't supported.
4) Minor UI user-friendly issue. Each menu should have "e" at least printed. I went into settings initially and main menu scrolled off screen. I had no idea how to exit this menu. (obviously I figured it out in about 15 seconds, but still from a UI perspective...).
5) Stats Menu: Where are these stats being pulled from? How much of what is listed is just generic vs being pulled from the actual stats on my machine and is the time range for these (if from my machine) since last reboot? skynet restart? all-time?
EDIT: Looks like ".../skynet/skynet.log"? This is persistent across all-time?
Everything skynet blocks will go in here...only things we see in syslog.log should be what got by skynet, yes?
6) Another user-friendly issue. Would be nice if it validated country code against a list and at least *warned* that no country was listed *OR* specifically states that no data was downloaded for that country list. Type or bad memory of what the country code is seems to just give the false impression that a country is loaded when its not.
7) Any thoughts to integrating the command line options directly into UI? Obviously many of them are there already, but like the stats search command could be put in asking for input. Would prevent having to exit out of main program to search for something. Also, short of this, would you consider putting an up-to-date list of command-line examples (like those listed in post #2 of thread) in the firewall script help...or at least as a README? I could of course just cut and paste them myself from that post into a file in the skynet directory, but if you make any changes it wouldn't stay in sync.
8) Anywhere better explanation of what is in settings menu? For starters I'd like to understand the ramifications of:
- Logging vs Log Invalid packets (i.e. what's an invalid packet in this context)?
- What Ban AiProtect actually does
- What secure mode does? I found https://www.snbforums.com/threads/r...urity-enhancements.16798/page-135#post-408577. So if this is enabled it is blocking my SSH access even though I configured that in my router settings?
- Syslog location. As per my above questions, trying to figure out relation betweek skynet log and syslog?
- Stats Country lookup. Is this just disabled for performance?
- How CDN whitelisting is implemented. I'm curious here why this is an option to enable/disable at this level rather than simply adding CDNs to whitelist?
Thanks again for your efforts!
bengalih
Senior Member
I think you misunderstood on this one. This command would show me all blocked connections from manualbans, right?
I'm looking for just a list of all IPs, ranges, etc that were manually added. I know I can grep out the ipset - is that the only way?
Adamm
Part of the Furniture
No this will show the last x manual bans.
Adamm
Part of the Furniture
You are using the command wrong, as per the readme;
Code:
( sh /jffs/scripts/firewall unban comment "Apples" ) This Unbans Entries With The Comment ApplesCountry bans are the only ones that are refreshed each time you input them due to the way the feature was implemented prior to Skynet using a config file.
That's intentional, due to the feature being released based on an alpha firmware it would have caused more issues in the long run if we didn't have it enabled by default in the settings regardless of the firmware version. Checks within the feature will prevent it from working if its not compatible.
To prevent repetitive code (and excessive menu size) we only show this option on the main menu.
These stats are stored on your USB, we keep 10MB worth of logs which ends up being around a week.
Ideally yes, but this would then require maintaining and processing a country code list so the cost-benefit goes out the window. A quick google search will show you all the country codes.
Every command line option has a menu equivalent, and whenever you run a menu option it will generate the equivalent command for future reference.
Invalid packet logging logs entries deemed invalid by the routers SPI firewall.
This blacklists entries flagged by AiProtect
This setting prevents users (and malicious parties) from exposing SSH/HTTPS to WAN which is highly insecure, it also checks for and disables backdoor access from a known exploit that targeted Asus routers a few months ago.
This is for users who have a non-default syslog location (i.e Scribe users)
Not being enabled by default was an oversight I think, but yes this setting will slow down SSH stat generation.
If enabled the following will be whitelisted;
Apple AS714 | Akamai AS12222 AS16625 | HighWinds AS33438 AS20446 | Fastly AS54113
bengalih
Senior Member
I see... These are stored in skynet.ipset not the log, so they should persist even past the 10 MB log size?
Adamm
Part of the Furniture
We actually store these in a separate event log but correct, they are not included in the purge.
Similar threads
Similar threads
Similar threads
-
Skynet Installing Skynet causes router to crash and reboot
- Started by ovancantfort
- Replies: 26
-
Diversion Diversion & Skynet Missing on GUI after Router Reboot.- Started by cofetym
- Replies: 7
-
Solved Skynet running slow with install/update issues from AMTM?- Started by John Fitzgerald
- Replies: 10
-
Skynet Source LAN IP for outbound IP blocked by SkyNet
- Started by buzzy
- Replies: 8
-
-
-
Send stats Division and Skynet to webhook or mqtt
- Started by poudenes
- Replies: 0
-
-
-
Skynet show inbound block on Digital TV Vlan300
- Started by poudenes
- Replies: 4
Latest threads
-
DDNS, AX86U-PRO, inadyn isn't called after wan IP change ?
- Started by JackJack
- Replies: 0
-
-
Accidentally flashed XT12 latest merlin on a ET12 Asus Zenwifi Pro. Can't flash back stock FW.
- Started by zapahacks
- Replies: 3
-
-
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!