What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hi Adam,
The # of IPs blocked decreased to 35,000 from 100, 000 on reinstall. Is this common?

Warm Regards,

Firehol having some issues on their end (the website which hosts the lists). So some lists are showing as empty, probably just a bad compile on their end and will be fixed shortly. In a few hours you can try manually run the banmalware function or just wait until the next cronjob to automatically update.

Code:
admin@RT-AC86U-2EE8:/tmp/skynet# wc -l *
    10892 alienvault_reputation.ipset
        0 bambenek_c2.ipset
     4017 bds_atif.ipset
      154 blocklist_de_bots.ipset
     4408 blocklist_de_ssh.ipset
      182 blocklist_de_strongips.ipset
        0 coinbl_hosts_browser.ipset
     1042 coinbl_ips.ipset
      879 cybercrime.ipset
      169 dyndns_ponmocup.ipset
     2236 et_block.netset
       99 et_botcc.ipset
      678 et_compromised.ipset
     1341 feodo.ipset
        0 firehol_level2.netset
        0 firehol_level3.netset
      272 malwaredomainlist.ipset
    37298 malwarelist.txt
      583 maxmind_proxy_fraud.ipset
     3819 normshield_high_attack.ipset
     2284 normshield_high_bruteforce.ipset
      117 ransomware_online.ipset
      207 ransomware_rw.ipset
      817 spamhaus_drop.netset
      139 spamhaus_edrop.netset
     8631 taichung.ipset
      480 urandomusto_ssh.ipset
      462 urandomusto_telnet.ipset
        0 uscert_hidden_cobra.ipset
    81206 total


admin@RT-AC86U-2EE8:/tmp/skynet# cat /tmp/skynet/* | awk '!x[$0]++' | wc -l
37583
 
They don't have it solved yet. o_O
Code:
May 26 02:00:02 Skynet: [Complete] 110761 IPs / 1647 Ranges Banned. 0 New IPs / 0 New Ranges Banned [save] [2s]
May 26 02:25:13 Skynet: [Complete] 43214 IPs / 966 Ranges Banned. -67547 New IPs / -681 New Ranges Banned [banmalware] [13s]


May 26 11:52:55 Skynet: [Complete] 34487 IPs / 927 Ranges Banned. -8727 New IPs / -39 New Ranges Banned [banmalware] [12s]
 
They don't have it solved yet. o_O

They are having some issues with their website, the github versions of the lists (which are only compiled once per day) are fine. I'm sure it will be fixed in a timely manor.

Try again in a few hours and resist the urge to visit suspiciouswebsite.com :p
 
They are having some issues with their website, the github versions of the lists (which are only compiled once per day) are fine. I'm sure it will be fixed in a timely manor.

Try again in a few hours and resist the urge to visit suspiciouswebsite.com :p
I'm not worried, I just see it add IPs everyday more than it deletes, so this big minus got my attention. I just had to run banmalware one more time being the geek that I am. :rolleyes:
 
Could you explain where you mean ?
(i.e. what do you change ?)
I use custom filter list instead of Skynet default banmalware list.
Below list is by Adamm default
https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/filter.list

I pasted my own additional list on top of the default in pastebin and used raw link for Skynet.

Currently the https://iplists.firehol.org/ website is having some problem compiling its lists
Example
https://iplists.firehol.org/files/firehol_level1.netset
So I replace them with
https://github.com/firehol/blocklist-ipsets/raw/master/firehol_level1.netset

All this list is from https://github.com/firehol/blocklist-ipsets
Note that you need raw link for Skynet to compile and work.
 
Many thanks, makes sense now. :)

I probably need to compile my own lists as fallback/standby.
Currently trying to update via the 'Banmalware' option is failing when 'Applying Blacklists' because there is a 5 octet IP4 address being picked up !!!???
(Still must be problems with the firehol lists etc )

upload_2018-5-27_0-3-10.png
 
Last edited:
Adamm,

Would it be possible to allow input of a 'Local file', as well as a URL, for the 'Banmalware' ---> 'Change Filter list' option ?
This would be in line with the 'URL/Local file' functionality of the 'Import IP List/Deport IP List options'

Thanks for your consideration.
 
I just installed skynet. In my log, it keeps showing blocked connections.
I went to Firewall/Logged packets type and changed it to "None"
I keeps changing back to "Dropped" and showing in my log.
 
Many thanks, makes sense now. :)

I probably need to compile my own lists as fallback/standby.
Currently trying to update via the 'Banmalware' option is failing when 'Applying Blacklists' because there is a 5 octet IP4 address being picked up !!!???
(Still must be problems with the firehol lists etc )

View attachment 13207
Guess u found out that you need to use raw URL link.
 
They don't have it solved yet. o_O
Code:
May 26 02:00:02 Skynet: [Complete] 110761 IPs / 1647 Ranges Banned. 0 New IPs / 0 New Ranges Banned [save] [2s]
May 26 02:25:13 Skynet: [Complete] 43214 IPs / 966 Ranges Banned. -67547 New IPs / -681 New Ranges Banned [banmalware] [13s]


May 26 11:52:55 Skynet: [Complete] 34487 IPs / 927 Ranges Banned. -8727 New IPs / -39 New Ranges Banned [banmalware] [12s]
To anyone having problems I have created a copy of the default filter list (amended as per DonnyJohnny's instructions)
https://www.snbforums.com/threads/s...manual-ip-blocking.16798/page-133#post-407503

The following should be used in the 'Banmalware' ---> 'Change Filter list' option :

https://pastebin.com/raw/X9uxcADY

[It will delete itself in 1 week !!!]

P.S. I have used it and it does work !!! :)

The issue has been corrected with the firehol website and the lists are working as expected.

I just installed skynet. In my log, it keeps showing blocked connections.
I went to Firewall/Logged packets type and changed it to "None"
I keeps changing back to "Dropped" and showing in my log.

This is because you have "debug mode" enabled in Skynet. To disable it run the install command again and go through the prompts accordingly.
 
The issue has been corrected with the firehol website and the lists are working as expected.
Yup! I knew it would, so I just left it alone and let Skynet do its thing on the daily update today. #thumbsup
Code:
May 26 02:00:02 Skynet: [Complete] 110761 IPs / 1647 Ranges Banned. 0 New IPs / 0 New Ranges Banned [save] [2s]
May 26 02:25:13 Skynet: [Complete] 43214 IPs / 966 Ranges Banned. -67547 New IPs / -681 New Ranges Banned [banmalware] [13s]


May 26 11:52:55 Skynet: [Complete] 34487 IPs / 927 Ranges Banned. -8727 New IPs / -39 New Ranges Banned [banmalware] [12s]

May 27 02:25:22 Skynet: [Complete] 107961 IPs / 1704 Ranges Banned. 73474 New IPs / 777 New Ranges Banned [banmalware] [22s]
 
I've pushed v6.2.0

Changes since the last version;

Code:
Comment support for import command
Fix lock files with blank PID line due to user error
Give imported entries identifiable string
Fix char limits on certian entries
"whitelist list imported" command
Guess Unban_PrivateIP never worked due to extra space, oops
Add Refresh_AiProtect()

The one feature that needs testing and feedback is that Skynet now bans IP's that AiProtect flags as malicious upon startup (if the feature is enabled). The current downside is that it will also ban source addresses (aka your current and previous IP's), but our whitelist should make this not matter. I'm hoping in a future version to filter out these addresses out without needing to install any additional entware packages.

To enable/disable this feature use the following commands;

Code:
sh /jffs/scripts/firewall debug banaiprotect enable
sh /jffs/scripts/firewall debug banaiprotect disable
 
Yup! I knew it would, so I just left it alone and let Skynet do its thing on the daily update today. #thumbsup
Code:
May 26 02:00:02 Skynet: [Complete] 110761 IPs / 1647 Ranges Banned. 0 New IPs / 0 New Ranges Banned [save] [2s]
May 26 02:25:13 Skynet: [Complete] 43214 IPs / 966 Ranges Banned. -67547 New IPs / -681 New Ranges Banned [banmalware] [13s]


May 26 11:52:55 Skynet: [Complete] 34487 IPs / 927 Ranges Banned. -8727 New IPs / -39 New Ranges Banned [banmalware] [12s]

May 27 02:25:22 Skynet: [Complete] 107961 IPs / 1704 Ranges Banned. 73474 New IPs / 777 New Ranges Banned [banmalware] [22s]
I knew it would be fixed BUT did not like having such a large 'hole' in the coverage while I was waiting.

At least I learnt something new, 'Thank you' all, and now know how to have a 'Custom/Backup/Fallback' list of my own.
:D
 
I've pushed v6.2.0

Changes since the last version;

Code:
Comment support for import command
Fix lock files with blank PID line due to user error
Give imported entries identifiable string
Fix char limits on certian entries
"whitelist list imported" command
Guess Unban_PrivateIP never worked due to extra space, oops
Add Refresh_AiProtect()

The one feature that needs testing and feedback is that Skynet now bans IP's that AiProtect flags as malicious upon startup (if the feature is enabled). The current downside is that it will also ban source addresses (aka your current and previous IP's), but our whitelist should make this not matter. I'm hoping in a future version to filter out these addresses out without needing to install any additional entware packages.

To enable/disable this feature use the following commands;

Code:
sh /jffs/scripts/firewall debug banaiprotect enable
sh /jffs/scripts/firewall debug banaiprotect disable

You said it will also ban source addresses, does that mean IP's from you local network pool or the ISP assigned IP?
 
You said it will also ban source addresses, does that mean IP's from you local network pool or the ISP assigned IP?

Your current and previous public IP's. So any IP that shows up on the following page;

2gX6ui3.png


Like I previously mentioned, due to our whitelist this shouldn't be an issue, but was worth mentioning just in-case it caused some weird unforeseen issues. Hopefully in a future version we can filter these addresses out entirely, but I'm trying to find a solution that doesn't rely on any entware packages to phrase the sql database.
 
Your current and previous public IP's. So any IP that shows up on the following page;

2gX6ui3.png


Like I previously mentioned, due to our whitelist this shouldn't be an issue, but was worth mentioning just in-case it caused some weird unforeseen issues. Hopefully in a future version we can filter these addresses out entirely, but I'm trying to find a solution that doesn't rely on any entware packages to phrase the sql database.

Thanks, I'll enable it and report any observations should there be any problems. Great feature to have. Just wondering if it really does help since most attacker IP's in that list are from a unique source.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top