1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Skynet - Asus Firewall Addition (Dynamic Malware/Country/Manual IP Blocking)

Discussion in 'Asuswrt-Merlin' started by Adamm, Apr 16, 2014.

  1. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    1,503
    This was a cosmetic error, I pushed a fix but as there's no version jump as its a minor change. You can force update if you choose.
     
    hervon likes this.
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. skeal

    skeal Very Senior Member

    Joined:
    Apr 30, 2016
    Messages:
    1,462
    Yup...tested and your new fix works. Thanks @Adamm your support is awesome!
     
    hervon likes this.
  4. Dee Fever

    Dee Fever New Around Here

    Joined:
    Jun 16, 2018
    Messages:
    6
    Is there anyway to setup a fail2ban type system with skynet. Basically any IP that try's to hit my device on a port that I don't allow I want to block it for sure. Really my home connection only allows me to VPN in to my device so anything or anyone else hitting these ports needs banned from attempting any further connection in our out. I couldn't find a way to do this in the menu structure.
     
  5. DonnyJohnny

    DonnyJohnny Senior Member

    Joined:
    Dec 17, 2017
    Messages:
    477
    Actually not really needed as the reputable banmalware list already covered most malicious IPs used for port knocking. If you want, you can also make customised banmalware list to add in more ip blocking. But note that sometime legitimate ip may be blocked. So you may need some whitelisting work in the earlier implementation of those ip list. http://iplists.firehol.org/
    Below is my custom list used
    https://pastebin.com/raw/uXCxsnQ1

    And also, you should be using a non-common port for vpn. No 1194\1195. This will reduce targeted port knocking on that service.
     
    joe scian likes this.
  6. Dee Fever

    Dee Fever New Around Here

    Joined:
    Jun 16, 2018
    Messages:
    6
    I understand this but I want to ban anyone that scans my device looking for a way in. That makes more sense than depending on a ban list. Attackers that are smart won't continue coming from something on a banlist. If you are smart you make your IP appear on a ban list then come from an alternate IP.

    Why would you not want to protect your network from anyone touching ports you don't even have open. I would be happy to deal with more false positives. Reality is nobody should be hitting the device but me on ports I know are open.

    The other question I have is if I import a list from the web will it automatically update it every 24 hrs or a certain time frame or is it a one time pull?
     
  7. DonnyJohnny

    DonnyJohnny Senior Member

    Joined:
    Dec 17, 2017
    Messages:
    477
    In most cases, only those known will random hit a port and they hit with ip range and not specific port. And the banmalware is already good enough. Having said that, how often u see your VPN port being hit in the first place, assuming you using uncommon port. If any, the VPN verification will not allow it thru unless you enable user/password where hackers could maybe brute force it? But most time this will become intentionally targetted attack.

    The default banmalware update is 24hr once at 2.25am by cronjob.
     
  8. SanPe

    SanPe New Around Here

    Joined:
    Nov 6, 2017
    Messages:
    5
    Location:
    France
    Up. Is it something I can do?
     
  9. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    1,503
    Somewhat, Skynet already taps into the SSH BFD and the SPI firewall will reject any invalid connections, but for anything else its up to the user to implement (who can then feed the information to Skynet if they desire).

    If you add the list to a banmalware filter and set it for daily updates, yes.

    Unfortunately not without significant modification. Supporting a web-server is out of the scope of the projects "lightweight" approach.
     
  10. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    1,503
    I pushed v6.3.1

    Skynet will now kill "stuck" processes on its own if detected. A pretty rare event and usually USB related, value set to two hours for now to account for timezone changes. There are also some banmalware improvements.
     
  11. Quoc Huynh

    Quoc Huynh Occasional Visitor

    Joined:
    Jan 11, 2018
    Messages:
    39
    Thanks, Adamm ;)
     
  12. SanPe

    SanPe New Around Here

    Joined:
    Nov 6, 2017
    Messages:
    5
    Location:
    France
    Ok, thank you.
    But, I guess it's possible to create a script to extract and store the IPs from the log in a file and make skynet import this file... If I find something working, I'll post it here.
     
  13. Dee Fever

    Dee Fever New Around Here

    Joined:
    Jun 16, 2018
    Messages:
    6
    I ended up finding this and it is working just fine now.
    https://www.snbforums.com/threads/h...ious-ips-using-ipset-martineau-version.38748/

    So for anyone that wants to block any IP that tries to touch their router here you go. Yes I believe in blocking ahead of time before they get to a port that is open and try to exploit it. This also immediately bans any IP that try's to touch something.

    https://securityzap.com/a-story-of-a-finfisher-hacker/
    or
    https://news.softpedia.com/news/fin...e-broke-into-hackingteam-servers-503078.shtml

    If you read the story of this attack you can see that he maps out the target looking for his opportunity and then wrote his own 0-day but he needed to map out the target first to even understand what he could exploit. Meaning he scanned them for open ports and stuff he could target to exploit.
     
    Last edited: Jul 14, 2018 at 12:59 PM
  14. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    1,503
    I'm not sure what functionality you think this script has that Skynet is lacking, its actually based off an outdated version of Skynet.
     
    Makaveli and skeal like this.
  15. Dee Fever

    Dee Fever New Around Here

    Joined:
    Jun 16, 2018
    Messages:
    6
    I asked for the ability to block any IP that hits that router like fail2ban. Doing it automatically.

    https://www.fail2ban.org/wiki/index.php/Main_Page

    It is pretty simple if an ip hits port 22 on my router or any other port for that matter it is banned as simple as that. Meaning it is blocked from scanning for any other ports that I may have opened. I don't want to depend on just a list of known bad IP's from someone else. I want to target those attempting to hit my router.

    Functionality it takes anything knocking on your door and denies it for the future. It like if I had a lurker outside my home that walks by everyday shining his flashlight looking for a way in attempting to open the doors and windows daily. Would I not call that police and just stop him or would I just continue let him lurk until he finds a way in.
     
    Last edited: Jul 14, 2018 at 1:28 PM
  16. skeal

    skeal Very Senior Member

    Joined:
    Apr 30, 2016
    Messages:
    1,462
    I see your point about scanning port 22 but doing this for other ports could cause a whole lot of false positives. The STP function of the router simply drops what is not solicited for. So any unknown traffic gets dropped. I'm really not sure what more you could want without causing some unwanted problems. You could also enable the "DOS" option in the firewall settings.
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!