Skynet Skynet - Router Firewall & Security Enhancements

[bengalih]

Then finally then we don't hog the syslog with our noisy output.

Heh, well that's debatable, since 99.9% of the entries in the remaining syslog seem to be from skynet...but I get your point.

The syslog binary included in busybox is significantly stripped down, so we have to purge the data manually rather then initially direct these select entries to their own file.

Gotcha...so it looks like scribe or a manual configuration of syslog-ng is the way to go to remedy this.

Thanks for the info.

 

[iJorgen]

I have only used Skynet for a few days so still kinda new to it. When I updated today to v7.1.2 (05/03/2020) I noticed that the number of IP's is 120390, but yesterday when I looked it was over 150000 so like 30000 less today. Have tried to update/reset the lists but no change. Is this correct?!

Update: When running the update now again the number of IP's is now 155201 so all back to normal. Maybe some lists were down/offline?!

 

[JimbobJay]

Is anyone else having issues accessing websites that use a service called Incapsula? Is this a false positive? Has anyone heard of this service before?

I hate to perform a bump, but....

I was hoping to find out if anyone else has had this problem before and whether it's safe to allow this incapdns.net domain, and whether it's by design that it's now being blocked by skynet when it wasn't being blocked before?

 

[Adamm]

I hate to perform a bump, but....

I was hoping to find out if anyone else has had this problem before and whether it's safe to allow this incapdns.net domain, and whether it's by design that it's now being blocked by skynet when it wasn't being blocked before?

Domain looks down in general

https://downforeveryoneorjustme.com/incapdns.net

 

[Adamm]

I have only used Skynet for a few days so still kinda new to it. When I updated today to v7.1.2 (05/03/2020) I noticed that the number of IP's is 120390, but yesterday when I looked it was over 150000 so like 30000 less today. Have tried to update/reset the lists but no change. Is this correct?!

Update: When running the update now again the number of IP's is now 155201 so all back to normal. Maybe some lists were down/offline?!

Hard to say exactly as I don't maintain the lists, they are constantly changing with entries being added/removed so it could have just been a particular list being cleaned out and others picking up the slack. You would have to check historical data on all the individual lists to be certain.

 

[JimbobJay]

Domain looks down in general

https://downforeveryoneorjustme.com/incapdns.net

Sorry, I should have made it clearer incapdns.net is just the end of the domain. The full domain names being blocked start with random letters. For example, when trying to access the website for my Network Operator www.giffgaff.com, Skynet is blocking an IP addresses associated with the domain iongx.x.incapdns.net which breaks the website.

But it isn’t just this one. Other websites using this Incapsular servics, that have different letter prefixes, are also being blocked by Skynet. Skynet appears to blocking all IPs associated with an incapdns.net domain. https://downforeveryoneorjustme.com/iongx.x.incapdns.net reports being up.

 

[dave14305]

Sorry, I should have made it clearer incapdns.net is just the end of the domain. The full domain names being blocked start with random letters. For example, when trying to access the website for my Network Operator www.giffgaff.com, Skynet is blocking an IP addresses associated with the domain iongx.x.incapdns.net which breaks the website.

But it isn’t just this one. Other websites using this Incapsular servics, that have different letter prefixes, are also being blocked by Skynet. Skynet appears to blocking all IPs associated with an incapdns.net domain. https://downforeveryoneorjustme.com/iongx.x.incapdns.net reports being up.

Run:

firewall stats search ip 199.83.134.170
firewall stats search ip 199.83.135.170

 

[JimbobJay]

Run:

firewall stats search ip 199.83.134.170
firewall stats search ip 199.83.135.170

Thanks for your reply

So having run that command, it shows that neither of those IPs are in Skynets block lists, so it’s not an Incapsular wide block as I suspected. However, the IP associated with the blocked domain iongx.x.incapdns.net is showing the following:

So it is in the blocked ranges. What does this mean exactly?

 

[dave14305]

So it is in the blocked ranges. What does this mean exactly?

Try running this to see if a comment explains why:

ipset -L Skynet-BlockedRanges | grep ^149

It’s not blocked in my Skynet files.

 

[Adamm]

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and whitelist) anything incorrectly on your Blacklist!

1.) Enable Logging

sh /jffs/scripts/firewall settings logmode enable

2.) Open the blocked application/website and use the command;

sh /jffs/scripts/firewall debug watch

Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;

DST=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault. If its related to a domain additional "Associated Domain" information should be printed beneath the log.

https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

sh /jffs/scripts/firewall whitelist ip 175.115.37.52

 

[Butterfly Bones]

I lost VPN connection overnight. This morning attempting to reconnect, simply sliding the button from "Off" to "On" in the VPN client page. No conection, just the message "Connecting..." Checked Skynet log:

Mar  7 04:33:52 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=71.93.5x.5y DST=209.58.135.74 LEN=42 TOS=0x00 PREC=0x00 TTL=64 ID=30095 DF PROTO=UDP SPT=38815 DPT=1194 LEN=22
Mar  7 04:33:54 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=71.93.5x.5y DST=209.58.135.74 LEN=42 TOS=0x00 PREC=0x00 TTL=64 ID=30204 DF PROTO=UDP SPT=38815 DPT=1194 LEN=22
Mar  7 04:33:58 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=71.93.5x.5y DST=209.58.135.74 LEN=42 TOS=0x00 PREC=0x00 TTL=64 ID=30517 DF PROTO=UDP SPT=38815 DPT=1194 LEN=22
Mar  7 04:34:06 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=71.93.5x.5y DST=209.58.135.74 LEN=42 TOS=0x00 PREC=0x00 TTL=64 ID=31151 DF PROTO=UDP SPT=38815 DPT=1194 LEN=22

That 71.93.5x.5y is my AC86U IP provided by Spectrum.

I then ran

sh /jffs/scripts/firewall stats search malware 71.93.5x.5y

=============================================================================================================
Logging Data Detected in /tmp/mnt/SNB/skynet/skynet.log - 4.9M
Monitoring From Mar 4 21:00:05 To Mar 7 05:06:01
17891 Block Events Detected
3073 Unique IPs
5 Manual Bans Issued
  
=============================================================================================================
Exact Matches;
--------------       | ---------                              
| IP Address |       | | List |                              
--------------       | ---------                              
  
Possible CIDR Matches;
--------------       | ---------                              
| IP Address |       | | List |                              
--------------       | ---------                              
  
=============================================================================================================
[#] 149777 IPs (+0) -- 1918 Ranges Banned (+0) || 10485 Inbound -- 5 Outbound Connections Blocked! [stats] [7s]

Nothing there for the outgoing block
Here are my settings.

Router Model; RT-AC86U
Skynet Version; v7.1.2 (05/03/2020) (d5420340114682601bacd04f5a44cf34)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
IP Address; (71.93.53.51)
FW Version; 384.16_alpha1-gb21df088d2 (Mar 4 2020) (4.1.27)
Install Dir; /tmp/mnt/SNB/skynet (11.1G / 14.0G Space Available)
SWAP File; /tmp/mnt/SNB/myswap.swp (2.0G)

149777 IPs (+0) -- 1918 Ranges Banned (+0) || 10390 Inbound -- 5 Outbound Connections Blocked!

Select Setting To Toggle:
[1]  --> Skynet Auto-Updates        | [Enabled]                  
[2]  --> Malware List Auto-Updates  | [daily]                    
[3]  --> Logging                    | [Enabled]                  
[4]  --> Filter Traffic             | [all]                      
[5]  --> Unban PrivateIP            | [Enabled]                  
[6]  --> Log Invalid Packets        | [Enabled]                  
[7]  --> Ban AiProtect              | [Enabled]                  
[8]  --> Secure Mode                | [Enabled]                  
[9]  --> Fast Switch List           | [Disabled]                  
[10] --> Syslog Location            | [Custom]                    
[11] --> IOT Blocking               | [Disabled]                  
[12] --> Stats Country Lookup       | [Enabled]                  
[13] --> CDN Whitelisting           | [Enabled]                  
[14] --> Display WebUI              | [Disabled]

 

[jdarski]

@Butterfly Bones
You should be looking up the DST IP for outbound blocks:

209.58.135.74 is NOT in set Skynet-Whitelist.
209.58.135.74 is in set Skynet-Blacklist.
209.58.135.74 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
"BanMalware: firehol_level2.netset"

Wysłane z mojego SM-G950F przy użyciu Tapatalka

 

[Butterfly Bones]

@Butterfly Bones
You should be looking up the DST IP for outbound blocks:

209.58.135.74 is NOT in set Skynet-Whitelist.
209.58.135.74 is in set Skynet-Blacklist.
209.58.135.74 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
"BanMalware: firehol_level2.netset"

Wysłane z mojego SM-G950F przy użyciu Tapatalka

Thanks! I got turned around on what to look for, dang. Been doing that too much lately (I know why, OT here).

I just switched servers, I'm halfway between two major California cities / server locations.

 

[CaptainSTX]

Having an issue with Skynet. It is not looking up the country that the blocked attempt came from anymore. Checked the Skynet settings and this function is enabled. Have flipped it on and off a couple of times.

Have removed and reinstalled Skynet multiple times and sometimes the country resolve works for awhile then stops. Have also reset the data.

Skynet seems to be working fine otherwise and blocking known problem IPs as well as the seventeen countries I told it to ban

Skynet was running perfectly until I installed uiDivStats. So I removed uiDivStats, Diversion and Skynet. Reinstalled Diversion and Skynet and still the same issue. Running Diversion standard with the standard+ list.

Any suggestions on where to look for a solution?

Thanks.

 

[dave14305]

Having an issue with Skynet. It is not looking up the country that the blocked attempt came from anymore. Checked the Skynet settings and this function is enabled. Have flipped it on and off a couple of times.

Have removed and reinstalled Skynet multiple times and sometimes the country resolve works for awhile then stops. Have also reset the data.

Skynet seems to be working fine otherwise and blocking known problem IPs as well as the seventeen countries I told it to ban

Skynet was running perfectly until I installed uiDivStats. So I removed uiDivStats, Diversion and Skynet. Reinstalled Diversion and Skynet and still the same issue. Running Diversion standard with the standard+ list.

Any suggestions on where to look for a solution?

Thanks.

Make sure Diversion logging is enabled. Then try running this curl from ssh as a test how Skynet does it:

curl -fsL --retry 3 --connect-timeout 3 "https://ipapi.co/104.26.9.66/country/"

 

[CaptainSTX]

Logging was on. Switched it off then back on again.

Ran the command several times and no response. After just a few seconds comes back to command line.


ASUSWRT-Merlin RT-AC86U 384.15_0 Sat Feb 8 18:41:28 UTC 2020
TheMan@RT-AC1900P-C3F0:/tmp/home/root# curl -fsL --retry 3 --connect-timeout 3 "
https://ipapi.co/104.26.9.66/country/"
TheMan@RT-AC1900P-C3F0:/tmp/home/root#

 

[dave14305]

Logging was on. Switched it off then back on again.

Ran the command several times and no response. After just a few seconds comes back to command line.


ASUSWRT-Merlin RT-AC86U 384.15_0 Sat Feb 8 18:41:28 UTC 2020
TheMan@RT-AC1900P-C3F0:/tmp/home/root# curl -fsL --retry 3 --connect-timeout 3 "
https://ipapi.co/104.26.9.66/country/"
TheMan@RT-AC1900P-C3F0:/tmp/home/root#

Try with verbose output. Is your clock set?

curl -vfL --retry 3 --connect-timeout 3 "https://ipapi.co/104.26.9.66/country/"

 

[EmeraldDeer]

I noticed that country lookup was failing in a Skynet stats report. Apparently the site is too popular.

> GET /104.26.9.66/country/ HTTP/1.1
> Host: ipapi.co
> User-Agent: curl/7.67.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
* The requested URL returned error: 429 Too Many Requests
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (22) The requested URL returned error: 429 Too Many Requests
Warning: Transient problem: HTTP error Will retry in 1 seconds. 3 retries
Warning: left.

 

[Mutzli]

After the last update the locked process takes much longer. I have to wait up to 10 minutes before the file is released again. I don't now if it has to do with Skynet or any of Jack Yaz script updates. I installed all available script updates this morning and noticed afterwards that Skynet would take forever to release the lock file. Then I noticed this line in the system log:
Mar 8 09:47:39 rc_service: httpds 1183:notify_rc start_SkynetStats
Mar 8 09:47:39 custom_script: Running /jffs/scripts/service-event (args: start SkynetStats)
Mar 8 09:49:39 rc: received unrecognized event: SkynetStats

Anyone else seeing this?

 

[dave14305]

Then I noticed this line in the system log:
Mar 8 09:47:39 rc_service: httpds 1183:notify_rc start_SkynetStats
Mar 8 09:47:39 custom_script: Running /jffs/scripts/service-event (args: start SkynetStats)
Mar 8 09:49:39 rc: received unrecognized event: SkynetStat

This would be expected log messages when someone presses the button in the Skynet webui. The last message will be removed in the next Merlin release.