Skynet Skynet - Router Firewall & Security Enhancements

[Joshuajackson]

Yeah it was set to "router" then i tried Quad9 just now and it seemed to have fixed that problem no idea why, i put in the quad9 dns in manually in wan

@Joshuajackson the scripts you are using together are not meant to be used together.

I think you may need to do some additional research on what each of these scripts does?

If I'm not mistaken, Unbound and DNSCrypt should not be used together.

Do you know which one is better?

 

[Butterfly Bones]

The last few Skynet updates over the last few days seem to remove the GenStats line from crontab. If I go into Settings and enable stats (even though already enabled it works). Just did it after the update. I now it was there before I ran the update from the Skynet menu, since I tend to check the cron jobs often,

usr_name@RT-AC86U-4608:/tmp/home/root# cru l

0 22 * * * /jffs/scripts/ledsoff.sh #lights_off#
0 7 * * * /jffs/scripts/ledson.sh #lights_on#
3 */6 * * * service restart_httpd #restart_httpd#
*/10 * * * * /jffs/scripts/ntpmerlin generate #ntpMerlin#
5 0 * * * /opt/sbin/logrotate /opt/etc/logrotate.conf >> /opt/tmp/logrotate.daily 2>&1 #logrotate#
*/2 * * * * /etc/openvpn/server1/vpns-watchdog1.sh #CheckVPNServer1#
0 * * * * /jffs/scripts/uiDivStats generate #uiDivStats#
25 3 * * * sh /jffs/scripts/firewall banmalware #Skynet_banmalware#
25 1 * * Mon sh /jffs/scripts/firewall update #Skynet_autoupdate#
0 * * * * sh /jffs/scripts/firewall save #Skynet_save#
00 2 * * Sun sh /opt/share/diversion/file/update-bl.div reset #Diversion_UpdateBL#
20 5 * * * sh /opt/share/diversion/file/rotate-logs.div #Diversion_RotateLogs#
20 17 * * * diversion count_ads count #Diversion_CountAds#
30 1 * * Sun sh /opt/share/diversion/file/stats.div #Diversion_WeeklyStats#

 

[L&LD]

@Joshuajackson, I do!

 

[Joshuajackson]

@Joshuajackson, I do!

Well which is it? Also I reconfigured the dnscrypt and in leak test it shows quad9 dns but also the isp how do I get rid of that because if I use quad9 in dsnfilter isp is gone and only shows quad9

 

[Adamm]

The last few Skynet updates over the last few days seem to remove the GenStats line from crontab. If I go into Settings and enable stats (even though already enabled it works). Just did it after the update. I now it was there before I ran the update from the Skynet menu, since I tend to check the cron jobs often,

usr_name@RT-AC86U-4608:/tmp/home/root# cru l

0 22 * * * /jffs/scripts/ledsoff.sh #lights_off#
0 7 * * * /jffs/scripts/ledson.sh #lights_on#
3 */6 * * * service restart_httpd #restart_httpd#
*/10 * * * * /jffs/scripts/ntpmerlin generate #ntpMerlin#
5 0 * * * /opt/sbin/logrotate /opt/etc/logrotate.conf >> /opt/tmp/logrotate.daily 2>&1 #logrotate#
*/2 * * * * /etc/openvpn/server1/vpns-watchdog1.sh #CheckVPNServer1#
0 * * * * /jffs/scripts/uiDivStats generate #uiDivStats#
25 3 * * * sh /jffs/scripts/firewall banmalware #Skynet_banmalware#
25 1 * * Mon sh /jffs/scripts/firewall update #Skynet_autoupdate#
0 * * * * sh /jffs/scripts/firewall save #Skynet_save#
00 2 * * Sun sh /opt/share/diversion/file/update-bl.div reset #Diversion_UpdateBL#
20 5 * * * sh /opt/share/diversion/file/rotate-logs.div #Diversion_RotateLogs#
20 17 * * * diversion count_ads count #Diversion_CountAds#
30 1 * * Sun sh /opt/share/diversion/file/stats.div #Diversion_WeeklyStats#

Can't reproduce this on my end nor has anything in that regard changed. The cron is created during the Install_WebUI_Page() function. If you restart Skynet does the cron appear (after a minute or two ofcoarse)?

 

[L&LD]

@Joshuajackson, it depends on what you want your router to do.

I want mine to be faster as well as having 'me' to be my own authoritative caching resolver too.

Ding! Ding! Ding! Unbound is the winner!

 

[Joshuajackson]

@Joshuajackson, it depends on what you want your router to do.

I want mine to be faster as well as having 'me' to be my own authoritative caching resolver too.

Ding! Ding! Ding! Unbound is the winner!

Got it to work, found out that in DHCP I forgot to add a DNS now I put quad9 and boom no more isp in dnsleak test

 

[L&LD]

@Joshuajackson, you're doing it wrong.

Don't mangle the testing to get the results you want or need.

Set it up properly to work as it should (by design).

I need to go to another site right now, but I hope others can point you in a good direction. In the meanwhile, go read up on the scripts you're trying to use together.

 

[kernol]

That is why I mentioned it logic prevails that since diversion places the line there, that maybe skynet should not erase that line for the reason that the script may need that line if skynet gets uninstalled then diversion will not have line to cover unmounting of the swap file it made tbh it wouldn't have hurt for you to left that line alone and still add your arbitrary swap off line to the bottom of unmount anyways as a failsafe.

In defence of @Adamm, his "aribtrary" line works "on time every time " and I am really happy that once again I can safely eject USB drive before router power goes off due to regular "blackouts" or "load shedding" that we endure all too frequently down her in South Africa.

My APC UPS set to send "unmount" command to router on power loss - leaving RT-AC86U live until power dies. Don't have enough batteries to last the 2 hours plus of the blackouts we have - and without successful unmount run high risk of data corruption on USB.

{Thumbs-UP} @Adamm .

 

[Butterfly Bones]

Can't reproduce this on my end nor has anything in that regard changed. The cron is created during the Install_WebUI_Page() function. If you restart Skynet does the cron appear (after a minute or two ofcoarse)?

Yes, a restart gets the GenStats line added. I noticed this in the last few days, since I check the Skynet banmalware times to not conflict with other events like Diversion Log Rotation at 0520. Malware updates get long (70 - 100+ seconds) and remove 10s of thousands of bans when that happens with the random Skynet times. I've found for me the updates are best around 0100 - 0400 for me, so use "crontab -e" to change when needed.

 

[Ronald Schwerer]

Speaking of unmounting swap, I was wondering if I should now disable my daily disk scan (USB/Health Scanner)? Besides swap, I've got entware, nsru, and skynet installed on it.
I got thinking about that since I got a corrupted bad block inode last night in one partition.

 

[Adamm]

Yea I never had issues with diversion unmounting swap either, I suppose if I uninstall skynet, thanks to the arbitrary addition, now I will. {Thumbs-up} @Adamm score 10 points and minus 10 points @thelonelycoder .

Minus 100 points @theuser

Please if you are going to make a hostile comment at-least be factual.

For starters when uninstalling Skynet that code will not be touched unless you specifically choose to also uninstall the swap file.

How do I know this? Because I wrote the majority of the swap functions (among others) used by most major scripts on this forum.

Secondly Skynet and Diversion both adhere to guidelines when interacting with “community” files and each other. So I can guarantee this change will work with any and all scripts which also follow these guidelines/code etiquette.

 

[Adamm]

Speaking of unmounting swap, I was wondering if I should now disable my daily disk scan (USB/Health Scanner)? Besides swap, I've got entware, nsru, and skynet installed on it.
I got thinking about that since I got a corrupted bad block inode last night in on partition.

You are probably better off using the disk-check feature built into amtm which works during mount iirc.

 

[SomeWhereOverTheRainBow]

Please if you are going to make a hostile comment at-least be factual.

For starters when uninstalling Skynet that code will not be touched unless you specifically choose to also uninstall the swap file.

How do I know this? Because I wrote the majority of the swap functions (among others) used by most major scripts on this forum.

Secondly Skynet and Diversion both adhere to guidelines when interacting with “community” files and each other. So I can guarantee this change will work with any and all scripts which also follow these guidelines/code etiquette.

I did not mean to make a hostile assertion, I am simply wondering if I uninstall skynet will the unmount still cover unmounting the swap because this is important to know.

Thank you for letting us know.

 

[SomeWhereOverTheRainBow]

Please if you are going to make a hostile comment at-least be factual.

For starters when uninstalling Skynet that code will not be touched unless you specifically choose to also uninstall the swap file.

How do I know this? Because I wrote the majority of the swap functions (among others) used by most major scripts on this forum.

Secondly Skynet and Diversion both adhere to guidelines when interacting with “community” files and each other. So I can guarantee this change will work with any and all scripts which also follow these guidelines/code etiquette.

@Adamm

Thank you for making another very stable release, previous one ran for weeks with no problems. This one also looks very promising. Thank you for all your efforts to make the Asuswrt-Merlin experience more secure.

 

[Raphie]

Agreed, excellent work Adamm.

 

[Ubimo]

@Adamm
Since now a swap file of 1GB is recommended, would you please adjust your OP (first post)?
There you state, that an USB drive of 500MB is required. ;-)

 

[Dabombber]

I can't think of any situation where some would or should have two swap files. Secondly code is called when unmounting USB's so you would definitely want to make sure the swap file is unmounted.

The problem I see is unmounting a second USB drive while the first has the swap file. It'd be better to go through the swap files and remove any from the unmounted drive, something like

tail -n+2 /proc/swaps | while read -r FILENAME _; do
    case "$FILENAME" in
        "$1/"*) swapoff "$FILENAME";;
    esac
done

 

[DocUmibozu]

Hello,
just a question: why this increase in swapfile size? I have a swapfile of 256mb on an ac66u mk 2 with diversion, skynet, unbound, scribe and uiscribe. Well the main memory is at 85% usage and swapfile at 10%. It never grows more than 15%. 1gb seems a little overkill to me, but I may be' wrong.
So the answer: why this increase?

 

[Ubimo]

Hello,
just a question: why this increase in swapfile size? I have a swapfile of 256mb on an ac66u mk 2 with diversion, skynet, unbound, scribe and uiscribe. Well the main memory is at 85% usage and swapfile at 10%. It never grows more than 15%. 1gb seems a little overkill to me, but I may be' wrong.
So the answer: why this increase?

Read here: https://www.snbforums.com/threads/r...urity-enhancements.16798/page-308#post-551732