1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Skynet - Asus Firewall Addition (Dynamic Malware/Country/Manual IP Blocking)

Discussion in 'Asuswrt-Merlin' started by Adamm, Apr 16, 2014.

  1. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    1,581
    This was a cosmetic error, I pushed a fix but as there's no version jump as its a minor change. You can force update if you choose.
     
    hervon likes this.
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. skeal

    skeal Very Senior Member

    Joined:
    Apr 30, 2016
    Messages:
    1,746
    Location:
    Canada
    Yup...tested and your new fix works. Thanks @Adamm your support is awesome!
     
    hervon likes this.
  4. Dee Fever

    Dee Fever New Around Here

    Joined:
    Jun 16, 2018
    Messages:
    6
    Is there anyway to setup a fail2ban type system with skynet. Basically any IP that try's to hit my device on a port that I don't allow I want to block it for sure. Really my home connection only allows me to VPN in to my device so anything or anyone else hitting these ports needs banned from attempting any further connection in our out. I couldn't find a way to do this in the menu structure.
     
  5. DonnyJohnny

    DonnyJohnny Very Senior Member

    Joined:
    Dec 17, 2017
    Messages:
    531
    Actually not really needed as the reputable banmalware list already covered most malicious IPs used for port knocking. If you want, you can also make customised banmalware list to add in more ip blocking. But note that sometime legitimate ip may be blocked. So you may need some whitelisting work in the earlier implementation of those ip list. http://iplists.firehol.org/
    Below is my custom list used
    https://pastebin.com/raw/uXCxsnQ1

    And also, you should be using a non-common port for vpn. No 1194\1195. This will reduce targeted port knocking on that service.
     
    joe scian likes this.
  6. Dee Fever

    Dee Fever New Around Here

    Joined:
    Jun 16, 2018
    Messages:
    6
    I understand this but I want to ban anyone that scans my device looking for a way in. That makes more sense than depending on a ban list. Attackers that are smart won't continue coming from something on a banlist. If you are smart you make your IP appear on a ban list then come from an alternate IP.

    Why would you not want to protect your network from anyone touching ports you don't even have open. I would be happy to deal with more false positives. Reality is nobody should be hitting the device but me on ports I know are open.

    The other question I have is if I import a list from the web will it automatically update it every 24 hrs or a certain time frame or is it a one time pull?
     
  7. DonnyJohnny

    DonnyJohnny Very Senior Member

    Joined:
    Dec 17, 2017
    Messages:
    531
    In most cases, only those known will random hit a port and they hit with ip range and not specific port. And the banmalware is already good enough. Having said that, how often u see your VPN port being hit in the first place, assuming you using uncommon port. If any, the VPN verification will not allow it thru unless you enable user/password where hackers could maybe brute force it? But most time this will become intentionally targetted attack.

    The default banmalware update is 24hr once at 2.25am by cronjob.
     
  8. SanPe

    SanPe New Around Here

    Joined:
    Nov 6, 2017
    Messages:
    5
    Location:
    France
    Up. Is it something I can do?
     
  9. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    1,581
    Somewhat, Skynet already taps into the SSH BFD and the SPI firewall will reject any invalid connections, but for anything else its up to the user to implement (who can then feed the information to Skynet if they desire).

    If you add the list to a banmalware filter and set it for daily updates, yes.

    Unfortunately not without significant modification. Supporting a web-server is out of the scope of the projects "lightweight" approach.
     
  10. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    1,581
    I pushed v6.3.1

    Skynet will now kill "stuck" processes on its own if detected. A pretty rare event and usually USB related, value set to two hours for now to account for timezone changes. There are also some banmalware improvements.
     
  11. Quoc Huynh

    Quoc Huynh Occasional Visitor

    Joined:
    Jan 11, 2018
    Messages:
    41
    Thanks, Adamm ;)
     
  12. SanPe

    SanPe New Around Here

    Joined:
    Nov 6, 2017
    Messages:
    5
    Location:
    France
    Ok, thank you.
    But, I guess it's possible to create a script to extract and store the IPs from the log in a file and make skynet import this file... If I find something working, I'll post it here.
     
  13. Dee Fever

    Dee Fever New Around Here

    Joined:
    Jun 16, 2018
    Messages:
    6
    I ended up finding this and it is working just fine now.
    https://www.snbforums.com/threads/h...ious-ips-using-ipset-martineau-version.38748/

    So for anyone that wants to block any IP that tries to touch their router here you go. Yes I believe in blocking ahead of time before they get to a port that is open and try to exploit it. This also immediately bans any IP that try's to touch something.

    https://securityzap.com/a-story-of-a-finfisher-hacker/
    or
    https://news.softpedia.com/news/fin...e-broke-into-hackingteam-servers-503078.shtml

    If you read the story of this attack you can see that he maps out the target looking for his opportunity and then wrote his own 0-day but he needed to map out the target first to even understand what he could exploit. Meaning he scanned them for open ports and stuff he could target to exploit.
     
    Last edited: Jul 14, 2018
  14. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    1,581
    I'm not sure what functionality you think this script has that Skynet is lacking, its actually based off an outdated version of Skynet.
     
  15. Dee Fever

    Dee Fever New Around Here

    Joined:
    Jun 16, 2018
    Messages:
    6
    I asked for the ability to block any IP that hits that router like fail2ban. Doing it automatically.

    https://www.fail2ban.org/wiki/index.php/Main_Page

    It is pretty simple if an ip hits port 22 on my router or any other port for that matter it is banned as simple as that. Meaning it is blocked from scanning for any other ports that I may have opened. I don't want to depend on just a list of known bad IP's from someone else. I want to target those attempting to hit my router.

    Functionality it takes anything knocking on your door and denies it for the future. It like if I had a lurker outside my home that walks by everyday shining his flashlight looking for a way in attempting to open the doors and windows daily. Would I not call that police and just stop him or would I just continue let him lurk until he finds a way in.
     
    Last edited: Jul 14, 2018
  16. skeal

    skeal Very Senior Member

    Joined:
    Apr 30, 2016
    Messages:
    1,746
    Location:
    Canada
    I see your point about scanning port 22 but doing this for other ports could cause a whole lot of false positives. The STP function of the router simply drops what is not solicited for. So any unknown traffic gets dropped. I'm really not sure what more you could want without causing some unwanted problems. You could also enable the "DOS" option in the firewall settings.
     
  17. Ubimo

    Ubimo Occasional Visitor

    Joined:
    Aug 6, 2016
    Messages:
    35
    From time to time I lose banned IP adresses.
    For exampe three week ago system log showed me that about 110.000 IP adresses were banned by skynet. Then, about two weeks ago the number jumped to 112.004 IP adresses. Today at Jul 16 02:28:53 the number went down to 84.814 banned IP adresses.
    I had to manually update banmalware through skynet menu to get back to 122.951 bannes IP adresses.
    Why is this happening?
     
  18. skeal

    skeal Very Senior Member

    Joined:
    Apr 30, 2016
    Messages:
    1,746
    Location:
    Canada
    The list is dynamically updated. Sometimes warhol or whoever leave a list out by mistake(they fix things like that quickly). That would explain why you had a low count of bans and then not to long after update the bans and get a lot more. This is somewhat normal behaviour no way to get around it. You could increase the ban malware processes but this would likely reveal more of this type of thing. Hope this helps.
     
    Ubimo likes this.
  19. FadgewackeR

    FadgewackeR Regular Contributor

    Joined:
    Jun 19, 2018
    Messages:
    83
    Folks, sorry to drag this down to the dumbest level, but I have an issue, as any Skynet command cannot progress past this, including uninstalling.

    Code:
    /jffs/scripts/firewall: /tmp/mnt/AC86U_SPARE/skynet/skynet.cfg: line 1: syntax error: unterminated quoted string
    
    Any pointers would be very warmly received... Cheers.
     
  20. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    1,581
    Looks like you managed to break the config file :p

    What is the output of the following;

    Code:
    cat /tmp/mnt/AC86U_SPARE/skynet/skynet.cfg
     
  21. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    1,581
    As Skeal said, the lists are dynamic, IP's are constantly being removed and added on a daily basis. This means just about every time you run banmalware you will have a different total number of banned addresses, nothing to worry about.
     
    Ubimo likes this.
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!