Skynet Skynet - Router Firewall & Security Enhancements

[Datalink]

I'm wondering about the very same question ???

 

[hervon]

I have been using Skynet for a long time. Love it. I'm wondering if Ai Protection from Trendnet adds something along with Skynet. Ai Protect is OFF for me. Opinions ?

 

[Adamm]

OK - my mistake... I scrolled up and it does say: Skynet: [INFO] Skynet Sucessfully Updated - Restarting Firewall.

It's just that since you then clear the screen and go back to the AMTM menu immediately thereafter, the "success" message isn't actually displayed for a useful period of time. Maybe put a 0.25s delay before going back to the menu? That'd be long enough to register but not long enough to slow down any particular work someone was doing... On the other hand now that I know what's going on it's irrelevant to me. For us n00bs though, it'd be useful.

Thats more an issue for amtm, Skynet actually hard exits there so if you had just been using Skynet alone to issue the command it would have brought you back to a terminal prompt with that information still visible.

Re using the geoip ban function, is it possible to ban all except an allowed list?

Something like:
ban country all
allow country "us uk"

Or is it necessary to name each as in:
ban country "pk cn sa ru ..."

I'm wondering about the very same question ???

At this present time, unfortunately not. You will have to list the specific countries you want banned.

I have been using Skynet for a long time. Love it. I'm wondering if Ai Protection from Trendnet adds something along with Skynet. Ai Protect is OFF for me. Opinions ?

I'd keep AiProtect on personally.

 

[JaimeZX]

Adamm, looks like with hervon this makes (at least) two votes for some kind of whitelist feature, although we're coming at it from different angles since he's looking at it from a country perspective and I'm thinking per-device (MAC or LAN IP). Is that something that would be complex to build in? Just curious.

 

[Adamm]

Adamm, looks like with hervon this makes (at least) two votes for some kind of whitelist feature, although we're coming at it from different angles since he's looking at it from a country perspective and I'm thinking per-device (MAC or LAN IP). Is that something that would be complex to build in? Just curious.

So while this functionality is theoretically possible, I think its outside the scope of the project (atleast for now). It would require a lot of internal reworking / unneeded complexity and I feel would go mostly unused. It also could cause bigger issues in the long run support wise. Being a lone developer of the project its hard enough to keep thousands of people happy while answering their questions on unique setups frequently.

I understand IOT botnets are a concern, but I feel with banmalware sourcing 30 reputation lists (realistically this number would be more like 50 as firehol lists combine multiple) from some of the worlds most trusted sources, along with AiProtect you are in a pretty good position compared to the average joe.

 

[Datalink]

Is there a limit on the number of countries that can be banned?

 

[Adamm]

Is there a limit on the number of countries that can be banned?

No, there is a limit on the BlockedRanges IPSet of 200,000 entries (which can be increased if needed) but that should be more then sufficient for most purposes.

 

[Mutzli]

Did you just release 6.0.0? I had to update a router this morning and it loaded the new version.

 

[Adamm]

I've officially released Skynet v6.0.0

Thanks to all my beta testers @el pescador @HardCat @skeal @XIII @thelonelycoder

The change-log is as follows;

Fixed Menu Bug
Fixed SWAP Removal Bug
Fixed Timer Bug
Improved Backup/Restore Process
Banmalware Runs Automatically After Install If Selected
Selective Filtering Now Possible (Inbound/Outbound Only)
IPSet Now Uses Unique Names To Prevent Conflicts With Other Scripts
Skynet Now Uses Unique File Names To Prevent Conflicts With Other Scripts
JFFS Installs No Longer Possible
SWAP Files Now Mandatory
Skynet Now Uses Config File For Common Settings Getting Rid Of Repetitive Sed/Grep Calls
Skynet Evenets To Be Logged To Unique File To Speed Up Grep Calls (evenets.log)
Skynet Forces Install Command If No Installation Detected
Other Internal Changes Which Should Allow Easier Updates/More Customization

This update is the culmination of 28 Commits, 556 additions and 501 deletions. So quite a lot was modified, hopefully all bugs squished in the process so updating can be smooth as possible.


Note;

JFFS installs are no longer possible! This is mainly to keep functionality in line with the AC86U which is forced to have USB installation/SWAP file due to resource limitations. This means Skynet now requires a 512MB USB minimum.


You will need to run the install command manually after updating! Due to the drastic internal changes, the install command will need to be run manually after updating, this will convert old data to the new format.

 

[Mutzli]

So far everything looks good. Updating through the menu with 10 > 1 didn't work. I had to reinstall it manually.

Update: Just saw you posted the info now

 

[XIII]

6.0.0 worked fine on my AC86U during the beta.

Now updating on the AC56U and AC68U of family members.

 

[Adamm]

Of-coarse within an hour I find a bug due to a typo that I missed all week

I've pushed v6.0.1 accordingly. Sorry to those who got in early!

@Quoc Huynh @XIII @skeal @Mutzli

 

[Quoc Huynh]

No problem Thank you so much for your hard work and your marvellous script, @Adamm! I have updated to 6.0.0 and now been on the way to 6.0.1

 

[vibroverbus]

Just updated. Seems to have gone flawlessly.

Ooooh fancy colors!

FWIW lately have been back in a huge spate of short-timing false-positives in the malware lists, been very irritating to my network users (including me). At this point I'm running 'banmalware' every 4 hours (with some day-part exceptions) to update the lists more often, and that seemed to help, but indeed lately some list or lists have had a lot of churn of positives that go away in short order.

I've written a few little utility scripts to make fixing things easier... the most basic one takes a single hostname, does a dig, gets the IP address, then feeds that to Skynet to sequentially 1. search IP and then 2. search malware... (was interested to track if any specific lists seem to be worse on false-positives and if I might want to remove them...) The other script is 'fancier' and gets the most recent blocks from the logs, sorts and numbers them and lets you pick them by number to investigate then unban or whitelist if you choose.

Turns out most of these false positives will show up as malware blocked from the first search, but then do not actually appear on a malware list in the second search? Is that because the malware search is 'live' and by the time I check them they have been cleared, but are still listed locally?

I've thought about using the new only INBOUND function to stop the browsing annoyances, however I've seen some very suspicious stuff lately (in one case I think there's a sketchy iOS app that Apple would not approve of...) and not sure that's a great idea by any means.

 

[Adamm]

(was interested to track if any specific lists seem to be worse on false-positives and if I might want to remove them...)

I can't say I run into issues with incorrectly blocked websites too often, my whitelist usually stays default due to the amount of reinstalling I do for debugging. But if you do track down any list that is providing excessive amounts of false positive feel free to pass on the information and we can possibly remove it from the master list accordingly.

Turns out most of these false positives will show up as malware blocked from the first search, but then do not actually appear on a malware list in the second search? Is that because the malware search is 'live' and by the time I check them they have been cleared, but are still listed locally?

Yes that would be correct, "stats search malware xxx.xxx.xxx.xxx" compares the IP in question to a fresh copy of each list.

 

[DonnyJohnny]

I can't say I run into issues with incorrectly blocked websites too often, my whitelist usually stays default due to the amount of reinstalling I do for debugging. But if you do track down any list that is providing excessive amounts of false positive feel free to pass on the information and we can possibly remove it from the master list accordingly.



Yes that would be correct, "stats search malware xxx.xxx.xxx.xxx" compares the IP in question to a fresh copy of each list.

I wonder if the blocked ip is in a block ip range, will it display, coz sometime when I search the blocked ip, it didn’t show where list it is coming from.

 

[skeal]

I wonder if the blocked ip is in a block ip range, will it display, coz sometime when I search the blocked ip, it didn’t show where list it is coming from.

Yes just read the results carefully.

 

[vibroverbus]

I wonder if the blocked ip is in a block ip range, will it display, coz sometime when I search the blocked ip, it didn’t show where list it is coming from.

That's exactly what I'm finding. Seems you are seeing same thing - the IP or block has been 'cleared' by the time you search yet its still in effect in Skynet.

 

[ThanksForThis]

Seamless upgrade through reinstall upgrade process. All aspects regarding core function seem in perfect order, no messages worth notation in log.

Usage with amtm is fine as well.

Thank you greatly.

 

[skeal]

That's exactly what I'm finding. Seems you are seeing same thing - the IP or block has been 'cleared' by the time you search yet its still in effect in Skynet.

This feature works fine for me. I would recommend using white-list when you come across an ip you need to be allowed. Don't use unban in this case.