Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Hi,

I'm new to Skynet. I'm looking at my charts. How do I know which computer/device is trying to connect to an IP that was blocked? Is there a way to find that out?

As per the readme;

( firewall stats search ip 8.8.8.8 ) Search Logs For Entries On 8.8.8.8

 

[Rob Q]

Just installed Skynet and wow, now I feel a whole lot safer. I don't even think AiProtection was stopping this stuff from trying to come in.

 

[dave14305]

Just installed Skynet and wow, now I feel a whole lot safer. I don't even think AiProtection was stopping this stuff from trying to come in.
View attachment 24729

You are safer, but to be fair, the regular router firewall would have been blocking these incoming connections anyway, assuming you have no ports open on your router. AiProtection would never have the chance to see these connections. Skynet is great because it blocks known bad guys before they can even reach any open ports or the normal firewall. Skynet is an eye-opener to see how many bad guys are knocking on your door every day (or minute?).

 

[dave14305]

An interesting discussion here about blocking outbound DoH based on lists of known DoH providers. Is this a viable feature for Skynet?

Here is Chrome’s list of DoH providers as a starting point:
https://chromium.googlesource.com/c...s/master/net/dns/public/doh_provider_entry.cc

 

[Rhialto]

For some reason I was not able to connect to CoD Warzone for the last 2 days... Haven't played for over a week or so. My first thought was to look if there was any issue reported but nothing wrong so I knew the problem was on my end. I disabled Skynet and I was able to connect.

Looking at the log I see my computer trying to reach 185.34.106.33:3074 so I whitelist this IP and now everything is fine. It's the first time I have to whitelist an address. Why is this IP blocked by default now? It wasn't a few days ago so I'm wondering why suddenly it's blocked.

 

[Adamm]

For some reason I was not able to connect to CoD Warzone for the last 2 days... Haven't played for over a week or so. My first thought was to look if there was any issue reported but nothing wrong so I knew the problem was on my end. I disabled Skynet and I was able to connect.

Looking at the log I see my computer trying to reach 185.34.106.33:3074 so I whitelist this IP and now everything is fine. It's the first time I have to whitelist an address. Why is this IP blocked by default now? It wasn't a few days ago so I'm wondering why suddenly it's blocked.

I'd like to remind users I don't maintain any of the example lists provided, these are merely there to guide users on compiling filter lists to suit their own needs. Personally I use these example lists and rarely run into false positives.

Unfortunately due to the nature of shared hosting, it only takes one bad domain to get an IP blacklisted for web-servers that potentially host thousands of websites using the same address. This is a fundamental issue entirely outside Skynet's control, we provide IP banning functionality, not content.



Now with that being said, if users believe the quality of a list has dropped for a significant amount of time (with examples!), we can discuss removal of said list from the examples provided.

fwiw; I don't currently see that address on any of the example lists

skynet@RT-AX88U-DC28:/tmp/home/root# firewall stats search malware 185.34.106.33
#############################################################################################################
#                                                                                                           #
#                  ███████╗██╗  ██╗██╗   ██╗███╗   ██╗███████╗████████╗    ██╗   ██╗███████╗                #
#                  ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗  ██║██╔════╝╚══██╔══╝    ██║   ██║╚════██║                #
#                  ███████╗█████╔╝  ╚████╔╝ ██╔██╗ ██║█████╗     ██║       ██║   ██║    ██╔╝                #
#                  ╚════██║██╔═██╗   ╚██╔╝  ██║╚██╗██║██╔══╝     ██║       ╚██╗ ██╔╝   ██╔╝                 #
#                  ███████║██║  ██╗   ██║   ██║ ╚████║███████╗   ██║        ╚████╔╝    ██║                  #
#                  ╚══════╝╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═══╝╚══════╝   ╚═╝         ╚═══╝     ╚═╝                  #
#                                                                                                           #
#                                 Router Firewall And Security Enhancements                                 #
#                             By Adamm -  https://github.com/Adamm00/IPSet_ASUS                             #
#                                            16/07/2020 - v7.2.0                                            #
#############################################################################################################


=============================================================================================================


[i] Logging Data Detected in /tmp/mnt/USB/skynet/skynet.log - 900.0K
[i] Monitoring From Jul 18 02:00:24 To Jul 18 16:59:53
[i] 3856 Block Events Detected
[i] 1171 Unique IPs
[i] 0 Manual Bans Issued

Associated Domain(s);
mw-lobby-1.prod.demonware.net



=============================================================================================================


Exact Matches;


--------------       | ---------
| IP Address |       | | List |
--------------       | ---------



Possible CIDR Matches;


--------------       | ---------
| IP Address |       | | List |
--------------       | ---------



=============================================================================================================


[#] 331497 IPs (+0) -- 1594 Ranges Banned (+0) || 3856 Inbound -- 0 Outbound Connections Blocked! [stats] [14s]

 

[Adamm]

An interesting discussion here about blocking outbound DoH based on lists of known DoH providers. Is this a viable feature for Skynet?

Here is Chrome’s list of DoH providers as a starting point:
https://chromium.googlesource.com/c...s/master/net/dns/public/doh_provider_entry.cc

This is probably outside the scope of the project. As it would require its own unique ruleset/ipset etc it would be much more simple to make a separate script

 

[Rhialto]

fwiw; I don't currently see that address on any of the example lists

On my side...

#############################################################################################################
#                                                                                                           #
#                  ███████╗██╗  ██╗██╗   ██╗███╗   ██╗███████╗████████╗    ██╗   ██╗███████╗                #
#                  ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗  ██║██╔════╝╚══██╔══╝    ██║   ██║╚════██║                #
#                  ███████╗█████╔╝  ╚████╔╝ ██╔██╗ ██║█████╗     ██║       ██║   ██║    ██╔╝                #
#                  ╚════██║██╔═██╗   ╚██╔╝  ██║╚██╗██║██╔══╝     ██║       ╚██╗ ██╔╝   ██╔╝                 #
#                  ███████║██║  ██╗   ██║   ██║ ╚████║███████╗   ██║        ╚████╔╝    ██║                  #
#                  ╚══════╝╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═══╝╚══════╝   ╚═╝         ╚═══╝     ╚═╝                  #
#                                                                                                           #
#                                 Router Firewall And Security Enhancements                                 #
#                             By Adamm -  https://github.com/Adamm00/IPSet_ASUS                             #
#                                            16/07/2020 - v7.2.0                                            #
#############################################################################################################


=============================================================================================================


[i] Logging Data Detected in /tmp/mnt/sda1/skynet/skynet.log - 7.7M
[i] Monitoring From Jul 14 10:00:08 To Jul 18 09:38:39
[i] 30551 Block Events Detected
[i] 3722 Unique IPs
[i] 0 Manual Bans Issued


=============================================================================================================


Exact Matches;


--------------       | ---------
| IP Address |       | | List |
--------------       | ---------

185.34.106.33        | https://iplists.firehol.org/files/firehol_level3.netset


Possible CIDR Matches;


--------------       | ---------
| IP Address |       | | List |
--------------       | ---------



=============================================================================================================


[#] 355381 IPs (+0) -- 1631 Ranges Banned (+0) || 6139 Inbound -- 52 Outbound Connections Blocked! [stats] [8s]

Why yours show
Associated Domain(s);
mw-lobby-1.prod.demonware.net ?

 

[Adamm]

On my side...

#############################################################################################################
#                                                                                                           #
#                  ███████╗██╗  ██╗██╗   ██╗███╗   ██╗███████╗████████╗    ██╗   ██╗███████╗                #
#                  ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗  ██║██╔════╝╚══██╔══╝    ██║   ██║╚════██║                #
#                  ███████╗█████╔╝  ╚████╔╝ ██╔██╗ ██║█████╗     ██║       ██║   ██║    ██╔╝                #
#                  ╚════██║██╔═██╗   ╚██╔╝  ██║╚██╗██║██╔══╝     ██║       ╚██╗ ██╔╝   ██╔╝                 #
#                  ███████║██║  ██╗   ██║   ██║ ╚████║███████╗   ██║        ╚████╔╝    ██║                  #
#                  ╚══════╝╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═══╝╚══════╝   ╚═╝         ╚═══╝     ╚═╝                  #
#                                                                                                           #
#                                 Router Firewall And Security Enhancements                                 #
#                             By Adamm -  https://github.com/Adamm00/IPSet_ASUS                             #
#                                            16/07/2020 - v7.2.0                                            #
#############################################################################################################


=============================================================================================================


[i] Logging Data Detected in /tmp/mnt/sda1/skynet/skynet.log - 7.7M
[i] Monitoring From Jul 14 10:00:08 To Jul 18 09:38:39
[i] 30551 Block Events Detected
[i] 3722 Unique IPs
[i] 0 Manual Bans Issued


=============================================================================================================


Exact Matches;


--------------       | ---------
| IP Address |       | | List |
--------------       | ---------

185.34.106.33        | https://iplists.firehol.org/files/firehol_level3.netset


Possible CIDR Matches;


--------------       | ---------
| IP Address |       | | List |
--------------       | ---------



=============================================================================================================


[#] 355381 IPs (+0) -- 1631 Ranges Banned (+0) || 6139 Inbound -- 52 Outbound Connections Blocked! [stats] [8s]

Why yours show
Associated Domain(s);
mw-lobby-1.prod.demonware.net ?

Do you have automatic malware list updating set to daily? This would explain why this entry still exists on your list and not the most recent version.

Also the associated domain info only shows if you have dnsmasq logging enabled (Diversion does this if you have it installed)

 

[Rhialto]

Do you have automatic malware list updating set to daily? This would explain why this entry still exists on your list and not the most recent version.

Also the associated domain info only shows if you have dnsmasq logging enabled (Diversion does this if you have it installed)

Ah this means that specific IP was added then removed and my problem would have been solved in a week or so after next update.

I had weekly, I wanted to minimize the load on the router as I don't remember how much time it takes to parse and update. It's done in the night, right?

Thanks for the help.

 

[ugandy]

An interesting discussion here about blocking outbound DoH based on lists of known DoH providers. Is this a viable feature for Skynet?

Here is Chrome’s list of DoH providers as a starting point:
https://chromium.googlesource.com/c...s/master/net/dns/public/doh_provider_entry.cc

this would be cool

 

[CriticJay]

On my side...

Another false positive in firehol_level3 ... I'm still glad I have that on my exclusion list

 

[JT Strickland]

Can anyone tell me what IOT blocking is? A search didn't turn up anything for IOT.

 

[QuikSilver]

Can anyone tell me what IOT blocking is? A search didn't turn up anything for IOT.

Does this help?
https://www.iotforall.com/what-is-iot-simple-explanation/

 

[JT Strickland]

It sure does. I guess that is so rudimentary that no one should have to look it up, but it didn't register for me.
Now if I can figure out how to block it....
thanks,
jts
edit: that was one time I should have searched outside the forum.

 

[ugandy]

how does Skynet's IoT blocking work? blocks certain ports? how does it identify IoT traffic?

 

[5stringdeath]

how does Skynet's IoT blocking work? blocks certain ports? how does it identify IoT traffic?

You enter the IP of your IOT device(s) and Skynet blocks it

Check Skynet settings 11 - 11

and then 2 "ban devices"

 

[Gar]

Just noticed I have zero outbound blocks, it is enabled. How unusual is that?

 

[JT Strickland]

Just noticed I have zero outbound blocks, it is enabled. How unusual is that?

That's a good thing, and shows you it's doing it's job. Nothing is trying to connect to a bogey.
That's what you want to see.

 

[Ninko]

You enter the IP of your IOT device(s) and Skynet blocks it

Check Skynet settings 11 - 11

and then 2 "ban devices"

Doesn't that stop the IoT device from functioning?