What's new

Skynet Since installing Diversion and Skynet my log is full of [Blocked] Extremely Many Entries. False or positive? Kind of scares me.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

C

Citius

Guest
Rt-AX86U with Merlins 386.1 My log is blowing up and in Web Gui if i press the links to alienVault they don't have much info. I'm not sure how to interpret this. Am i being hammered with that much attacks constantly? I have X:ed out my public IP thats all. the rest is as my log say.
Could there be a device on my Lan that has been hacked that are causing this? All i can se is my routers IP as Destination so i don't know so much.
I have only been running like 2 or 3 days since Skynet was reset. Here are some links from alienvault.
https://otx.alienvault.com/indicator/ip/45.155.205.76 https://otx.alienvault.com/indicator/ip/45.155.205.160 https://otx.alienvault.com/indicator/ip/192.241.220.36 https://otx.alienvault.com/indicator/ip/45.155.205.158
Before this it was the same except then alienvault actually had many "threat findings" in AlienVault "Se the pic with only SRC". I had outgoing threats also from myLinux Laptop then. Is there some way for me to investigate further? Is there some entware script or app that can help me understand theese logs?
A While ago with a crappy F-Secure Sense router my Philips Hue bridge was hacked and my daughters Lenovo Tab 10. After this i have Restored them. On her Tab i ran Lenovos Restore utilityprogram, it got totally wiped. On the Hue bridge i removed the link to the bridge, changed the passw on Hue web site and resetted bridge. I reseted all my devices from google, and reinstalled my Laptop with the Manufacturers Restore utility USB key.
fwstats1.png
fwblock1 (2).png
fwstats3.png

Feb 5 02:48:06 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.155.205.129 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=65304 PROTO=TCP SPT=43407 DPT=8719 SEQ=2089133987 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:48:07 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.145.64.191 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=54321 PROTO=TCP SPT=40042 DPT=22222 SEQ=4239634889 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:48:07 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.145.64.191 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=54321 PROTO=TCP SPT=40044 DPT=22222 SEQ=4239634889 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:48:07 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.145.64.191 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=54321 PROTO=TCP SPT=40043 DPT=22222 SEQ=4239634889 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:48:09 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.146.165.148 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=30575 PROTO=TCP SPT=42179 DPT=11126 SEQ=4031588013 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:48:11 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=194.147.140.70 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=56429 PROTO=TCP SPT=48241 DPT=9661 SEQ=354976612 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:48:22 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.155.205.157 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=47450 PROTO=TCP SPT=43479 DPT=34907 SEQ=1882344373 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:48:26 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.155.205.76 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=65240 PROTO=TCP SPT=43601 DPT=60930 SEQ=1027304046 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:48:31 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=194.147.140.103 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=41351 PROTO=TCP SPT=45542 DPT=4755 SEQ=2553006496 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:48:37 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.155.205.131 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=13390 PROTO=TCP SPT=43419 DPT=21514 SEQ=980556528 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:48:42 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.155.205.130 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=44349 PROTO=TCP SPT=43431 DPT=15435 SEQ=1664805826 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:48:42 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=192.241.246.167 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=23673 PROTO=TCP SPT=50212 DPT=26811 SEQ=2369736310 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:48:55 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.155.205.159 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=63044 PROTO=TCP SPT=43526 DPT=47754 SEQ=3791599226 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:49:05 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.155.205.76 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=53668 PROTO=TCP SPT=43601 DPT=60668 SEQ=962349036 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:49:07 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.155.205.157 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=9104 PROTO=TCP SPT=43479 DPT=34951 SEQ=1871565219 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:49:34 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.155.205.129 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=6738 PROTO=TCP SPT=43407 DPT=8833 SEQ=1063010919 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:49:35 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.155.205.157 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=2757 PROTO=TCP SPT=43479 DPT=34932 SEQ=2072901637 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:49:35 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.155.205.156 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=25623 PROTO=TCP SPT=43428 DPT=28384 SEQ=608464963 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:49:40 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.155.205.162 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=61170 PROTO=TCP SPT=42498 DPT=13223 SEQ=107128801 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:49:44 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.155.205.158 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=44599 PROTO=TCP SPT=43384 DPT=41466 SEQ=2383377785 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:49:52 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.155.205.159 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=63944 PROTO=TCP SPT=43526 DPT=47627 SEQ=788806007 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:50:00 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.155.205.156 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=45896 PROTO=TCP SPT=43428 DPT=28212 SEQ=468953032 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:50:15 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=159.89.133.144 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=63068 PROTO=TCP SPT=46081 DPT=166 SEQ=347966542 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:50:16 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.155.205.158 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=45668 PROTO=TCP SPT=43384 DPT=41331 SEQ=2024434083 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:50:18 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=45.155.205.130 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=13396 PROTO=TCP SPT=43431 DPT=15089 SEQ=4133712913 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:50:24 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=195.54.160.155 DST=XX.XX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=59565 PROTO=TCP SPT=49949 DPT=8813 SEQ=3321081972 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Feb 5 02:50:40 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=74.120.14.93 DST=XX.XX.XXX.XXX LEN=44 TOS=0x00 PREC=0x00 TTL=43 ID=15837 PROTO=TCP SPT=14875 DPT=16013 SEQ=2166850398 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4) MARK=0x8000000
Feb 5 02:50:47 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=3c:7c:3f:6b:a3:08:00:11:bb:b1:a4:80:08:00 SRC=74.120.14.28 DST=XX.XX.XXX.XXX LEN=44 TOS=0x00 PREC=0x00 TTL=43 ID=31660 PROTO=TCP SPT=37232 DPT=49502 SEQ=3198723612 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4) MARK=0x8000000
 
Sorry for the bad format in my post. i tried to fit as much as i could within the 1000 signs limit.

I deleted a whole lot information to try to shorten it down.

The thing is that the firewall is constantly getting hammered. I's always like this.
i will attach a pic in this post just to show
fwexample.png
 
Very normal for inbound blocks. But if you do not have any ports or services open on the WAN side of your router, the built-in firewall would have blocked these anyway. So I disable inbound blocking. If I ran an OpenVPN server or did port forwarding, I would leave inbound blocking enabled.
 
Very normal for inbound blocks. But if you do not have any ports or services open on the WAN side of your router, the built-in firewall would have blocked these anyway. So I disable inbound blocking. If I ran an OpenVPN server or did port forwarding, I would leave inbound blocking enabled.
No i never have anything open on the wan side.
I never connect to my router from internet. I have no Ai protection or or Ai disks on and no DDNs, no port forward, trigger or anything that could connect to me.
 
I just made some changes by disabling inbound blocking too, also dropped Pixelserv Std to Lite and haven't regretted the changes. Always concerned my old AC56 is being stressed with all this stuff running for little or no reason.
 
Very normal for inbound blocks. But if you do not have any ports or services open on the WAN side of your router, the built-in firewall would have blocked these anyway. So I disable inbound blocking. If I ran an OpenVPN server or did port forwarding, I would leave inbound blocking enabled.
Some people don’t realise that when they enable logging, they see new log entries that normally don’t show in the log - when logging is disabled.
 
Very normal for inbound blocks. But if you do not have any ports or services open on the WAN side of your router, the built-in firewall would have blocked these anyway. So I disable inbound blocking. If I ran an OpenVPN server or did port forwarding, I would leave inbound blocking enabled.
Does what you're saying mean that the blocklist(s), updated periodically in Skynet, only block outbound connections? Because if the router will block everything that Skynet blocks inbound, why does the Skynet blocklist update?
 
Does what you're saying mean that the blocklist(s), updated periodically in Skynet, only block outbound connections? Because if the router will block everything that Skynet blocks inbound, why does the Skynet blocklist update?
In my personal setup, yes, it only blocks outbound connections that my devices might try to make to a banned IP.

In the general sense, the router's built-in firewall will block all unsolicited inbound traffic, unless you have a port listening on the public WAN interface. It won't block traffic when it's configured to accept traffic on a particular port (e.g. OpenVPN, ssh, https, port forwards, etc.). In these situations Skynet will block with a vengeance any attempted inbound connection from a banned IP to one of your open, listening WAN ports. This is good.

Since I don't have any public listening WAN ports, I don't feel I need inbound blocking with all its unnecessary inbound block messages. But I DO want logging of outbound blocks. If Skynet supported logging only outbound blocks, I would leave inbound blocking enabled without logging. But Adamm rejected that idea because he thought it added complexity.
 
In my personal setup, yes, it only blocks outbound connections that my devices might try to make to a banned IP.

In the general sense, the router's built-in firewall will block all unsolicited inbound traffic, unless you have a port listening on the public WAN interface. It won't block traffic when it's configured to accept traffic on a particular port (e.g. OpenVPN, ssh, https, port forwards, etc.). In these situations Skynet will block with a vengeance any attempted inbound connection from a banned IP to one of your open, listening WAN ports. This is good.

Since I don't have any public listening WAN ports, I don't feel I need inbound blocking with all its unnecessary inbound block messages. But I DO want logging of outbound blocks. If Skynet supported logging only outbound blocks, I would leave inbound blocking enabled without logging. But Adamm rejected that idea because he thought it added complexity.
Thanks dave14305, that's informative.

Appreciated,
Anton
 
Thanks dave14305, that's informative.

Appreciated,
Anton
@dave14305 One other thing. So since SkyNet reports typically thousands of blocks, this means that it's seeing these unsolicited connection attempts before the router's firewall. In other words SkyNet is in front of the router's firewall?
 
@dave14305 One other thing. So since SkyNet reports typically thousands of blocks, this means that it's seeing these unsolicited connection attempts before the router's firewall. In other words SkyNet is in front of the router's firewall?
Mostly. It works at the earliest possible point in the firewall traffic flow, before rules that the router creates.
 
In my personal setup, yes, it only blocks outbound connections that my devices might try to make to a banned IP.

In the general sense, the router's built-in firewall will block all unsolicited inbound traffic, unless you have a port listening on the public WAN interface. It won't block traffic when it's configured to accept traffic on a particular port (e.g. OpenVPN, ssh, https, port forwards, etc.). In these situations Skynet will block with a vengeance any attempted inbound connection from a banned IP to one of your open, listening WAN ports. This is good.

Since I don't have any public listening WAN ports, I don't feel I need inbound blocking with all its unnecessary inbound block messages. But I DO want logging of outbound blocks. If Skynet supported logging only outbound blocks, I would leave inbound blocking enabled without logging. But Adamm rejected that idea because he thought it added complexity.
FlexNet fork on the horizon?
 
so if one runs skynet can one disable the built in firewall with no ill effects?
 
sorry to hijack but isnt running built in firewall and skynet firewall kind of the firewall equivalent of double natting?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top