Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

I don't mean to hijack here quick question can I use skynet on openwrt?

Sent from my SAMSUNG-SM-G920AZ using Tapatalk

Skynet was exclusively designed around AsusWRT, so I assume a significiant amount of functions wouldn't work without modification. With that being said, at this time I have no plans to personally support other platforms, sorry.

 

[OMNI619]

Thanks I appreciate your hard work and efforts

Sent from my SAMSUNG-SM-G920AZ using Tapatalk

 

[jamesnmandy]

Can someone please link me to an "install for dummies"? I have several questions. Do I have to enable SSH on the router before I begin? Any other router setting dependencies? What about JFFS? What am I doing with the USB stick? Does it go in router or pc? Does it have to stay in router after install? Does Skynet get installed to USB stick or router itself? Is the SSH terminal in the router or the pc? Do I have to install it first?

I am not completely helpless and have done things like this before, but I need a literal step by stop guide the first time around. Sorry if these questions have all been answered at some point over the years in the many replies ..Thanks.

UPDATED 07/07/2018

Currently this script only supports ARM/HND Asus Routers with IPSet v6



Skynet - Asus Firewall Addition


Skynet is the first comprehensive IP banning and security tool exclusively for Asus Devices.


The goal of this tool is to enhance the firmware's built in functionality such as the SPI Firewall, Brute Force Detection and AiProtect while adding easy to use tools for users to implement custom firewall rules they desire. Skynet has a range of feature from banning single IPs, domains, entire countries or pulling predefined malware lists from reputable providers. It is the one stop shop for router security and the first line of defense in your home network.

Skynet fully supports (router) OpenVPN implementations and the Astrill VPN Plugin along with user scripts like AB-Solution. You can read about explanations for common errors here.


This script is open source and free to use, but if you want to support future development you can do so by donating here.

INSTALLATION;

All that's required is a USB drive that's at-least 500MB, After downloading it just works.

This script is now hosted on GitHub, you can follow the most recent changes here.

In your favourite SSH terminal;

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh" -o "/jffs/scripts/firewall" && chmod +x /jffs/scripts/firewall && sh /jffs/scripts/firewall install

 

[Adamm]

Do I have to enable SSH on the router before I begin?

Yes Skynet is installed and accessed via SSH

Any other router setting dependencies? What about JFFS? What am I doing with the USB stick?

The only requirement is a ARM/HND router (any device on the 382/384 firmware) with a USB stick attached to the device formatted as ext2/ext3/ext4

Does it go in router or pc?

Router

Does it have to stay in router after install?

Yes

Does Skynet get installed to USB stick or router itself?

It gets installed to its own folder on the USB, but it also adds nessesary information to config files on the JFFS partition to keep it running persistently.

Is the SSH terminal in the router or the pc?

You seem unfamiliar with what SSH is, so the easiest way to explain it is this. SSH'ing into a linux machine (in this case your router) is the equilivelant of using remote desktop to access another machine. The main difference is linux uses a commandline interface.

Do I have to install it first?

To use Skynet it will need to be installed yes, which is a very simple process. It also can be uninstalled just as easily to give you peace of mind. To install it, you need to issue the following command via SSH then follow the prompts;

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh" -o "/jffs/scripts/firewall" && chmod +x /jffs/scripts/firewall && sh /jffs/scripts/firewall install

 

[jamesnmandy]

Yes Skynet is installed and accessed via SSH



The only requirement is a ARM/HND router (any device on the 382/384 firmware) with a USB stick attached to the device formatted as ext2/ext3/ext4



Router



Yes



It gets installed to its own folder on the USB, but it also adds nessesary information to config files on the JFFS partition to keep it running persistently.



You seem unfamiliar with what SSH is, so the easiest way to explain it is this. SSH'ing into a linux machine (in this case your router) is the equilivelant of using remote desktop to access another machine. The main difference is linux uses a commandline interface.



To use Skynet it will need to be installed yes, which is a very simple process. It also can be uninstalled just as easily to give you peace of mind. To install it, you need to issue the following command via SSH then follow the prompts;

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh" -o "/jffs/scripts/firewall" && chmod +x /jffs/scripts/firewall && sh /jffs/scripts/firewall install

Thank you for the personalized and fast reply. The last question "Do I have to install it first?" was referring to SSH Terminal. I now understand I need to install PUTTY on my pc to remotely connect to the router. I wasn't sure if Putty could be installed and ran on the router itself.

Also I didn't notice a response about JFFS but reading the rest tells me I need to enable it anyways if the script needs to be able to write local files as well. Besides, I will need it for AB Solution too.

Thanks again, I feel confident in what I doing now. Feel free to use this content for any "FAQ for noobs" links

 

[martinr]

Thank you for the personalized and fast reply. The last question "Do I have to install it first?" was referring to SSH Terminal. I now understand I need to install PUTTY on my pc to remotely connect to the router. I wasn't sure if Putty could be installed and ran on the router itself.

Also I didn't notice a response about JFFS but reading the rest tells me I need to enable it anyways if the script needs to be able to write local files as well. Besides, I will need it for AB Solution too.

Thanks again, I feel confident in what I doing now. Feel free to use this content for any "FAQ for noobs" links

I don’t know if this’ll help or hinder you, but you might want to have a look at AMTM first
https://www.snbforums.com/threads/amtm-the-snbforum-asuswrt-merlin-terminal-menu-v1-2.42415/

If you install AMTM first, you could then install Skynet and the other software through the AMTM interface. And, once installed, to call it up, all you’d do is type amtm at the prompt once you’ve connected to your router via SSH.

Worth a look, anyway.

The questions you have are the basic ones we all have at first simply because once you’ve done it, you take it for granted. But until that stage, it’s just meaningless gobbledegook. I guess it’s like telling a learner driver to turn the ignition on: if no-one’s ever explained it to them, they’re probably surprised to learn it’s not just a place for the driver to hang their keys to avoid the discomfort of having them in their trouser pocket.

 

[jamesnmandy]

I don’t know if this’ll help or hinder you, but you might want to have a look at AMTM first
https://www.snbforums.com/threads/amtm-the-snbforum-asuswrt-merlin-terminal-menu-v1-2.42415/

If you install AMTM first, you could then install Skynet and the other software through the AMTM interface. And, once installed, to call it up, all you’d do is type amtm at the prompt once you’ve connected to your router via SSH.

Worth a look, anyway.

The questions you have are the basic ones we all have at first simply because once you’ve done it, you take it for granted. But until that stage, it’s just meaningless gobbledegook. I guess it’s like telling a learner driver to turn the ignition on: if no-one’s ever explained it to them, they’re probably surprised to learn it’s not just a place for the driver to hang their keys to avoid the discomfort of having them in their trouser pocket.

I'm all about making it easier as long as it doesn't have drawbacks. Thanks I was currently configuring my router for JFFS and SSH and now I am about to go to the store to replace this horrible wireless keyboard I've been meaning to replace for years.... Nothing like being connected to Putty and your keyboard deciding its disconnecting and refusing to reconnect.....

 

[johnathonm]

Adamm,

Is there a way to increase the size of the hashes in the script? To increase the number of IP's capable of being blocked? Also, since many of us are using larger USB drives, would it be possible to allow for the creation of a larger swap file?

Thanks,
J

 

[Adamm]

Is there a way to increase the size of the hashes in the script? To increase the number of IP's capable of being blocked?

The current limits are already exceptionally large, 500,000 individual IP's and 200,000 CIDR Ranges. If you are running into these limits you should re-evalulate what exactly you are blocking as its almost certian you are unnessesarly and/or inefficiently blocking things.

Also, since many of us are using larger USB drives, would it be possible to allow for the creation of a larger swap file?

Skynet doesn't force a size maximum for a swap file, it just allows convenient sizes to be created automatically (users are free to manually create a swap file of any size). I can't think of any use cases for SWAP files larger then 2GB on a router.

I'd be more then happy to see any real world cases where either of these "soft" limits need to be increased and act accordingly then.

 

[JaimeZX]

Thank you for the personalized and fast reply. The last question "Do I have to install it first?" was referring to SSH Terminal. I now understand I need to install PUTTY on my pc to remotely connect to the router. I wasn't sure if Putty could be installed and ran on the router itself.

Also I didn't notice a response about JFFS but reading the rest tells me I need to enable it anyways if the script needs to be able to write local files as well. Besides, I will need it for AB Solution too.

Thanks again, I feel confident in what I doing now. Feel free to use this content for any "FAQ for noobs" links

Have a look at the thread I created (largely for my own future use.) Ref: sig block.

 

[DonnyJohnny]

The current limits are already exceptionally large, 500,000 individual IP's and 200,000 CIDR Ranges. If you are running into these limits you should re-evalulate what exactly you are blocking as its almost certian you are unnessesarly and/or inefficiently blocking things.



Skynet doesn't force a size maximum for a swap file, it just allows convenient sizes to be created automatically (users are free to manually create a swap file of any size). I can't think of any use cases for SWAP files larger then 2GB on a router.

I'd be more then happy to see any real world cases where either of these "soft" limits need to be increased and act accordingly then.

Just about to ask about the 500,000 coz recently the list when slightly over 500,000 and Skynet limit it... next day the number went back to 495k... lol..

Is 500k really big? Any implication if it would to be bigger? Performance wise?

 

[Adamm]

Is 500k really big? Any implication if it would to be bigger? Performance wise?

Its big in the sense that you probably have a significiant amount of overlap between optimized lists which uses CIDR ranges and other unoptimized lists which list every IP individually.

Here's an example, 42.160.0.0/12 is a single CIDR entry from Skynets default list. This one entry is equilivelent to 1048576 IPs. I think it goes without saying which is faster for the system to make a match.

Now its none of my business what people decide to block, but I do encourage people to do so efficiently to avoid potential stability issues. I suggest if you do have this many IP's blocked, use the data available from firehol and remove lists that are unnesseary. Firehol specifically has a table showing you what % of each list is blocked by other lists.

 

[jamesnmandy]

*EDIT2 Alright, that was it. My mistake was not rebooting the router after enabling JFFS in the router options, but before beginning to install anything. Thanks for the patience. I got it all done now. Sorry for the thread spam.

*EDIT Okay I completely started back over, formatted ext2 on the USB, re-installing AMTM from scratch. Think I will reboot after installing that and make sure it works before doing anything else but I am still stuck with "How do I call up the AMTM GUI once the reboot has occurred without running the install script again?

Okay I am stuck......formatted USB to ext2, with one primary partition using the entire 2GB. I then installed amtm and used it to install skynet (I think it did, it seemed to complete normally and return to AMTM menu) and then told it to install AB Solutions and told it to make a 512MB SWAP file and then during the check it said a -jffs format was pending and it failed the check and needed to reboot the router. So I told it to reboot. Now I don't know what to do. Is Skynet installed? How do I get the GUI for AMTM to show back up to finish installing AB Solutions?

I think I had never rebooted when I enabled JFFS on the router and then it formatted the JFFS partition when it rebooted, which probably erased whatver was done during the Skynet install routine, but there is still 500MB used on that USB stick so it made the SWAP file anyways.....

Sorry if this is the wrong thread but at this moment I am in a bad way and need a quick response as I am sorta stuck.....

 

[Adamm]

*EDIT Okay I completely started back over, formatted ext2 on the USB, re-installing AMTM from scratch. Think I will reboot after installing that and make sure it works before doing anything else but I am still stuck with "How do I call up the AMTM GUI once the reboot has occurred without running the install script again?

Okay I am stuck......formatted USB to ext2, with one primary partition using the entire 2GB. I then installed amtm and used it to install skynet (I think it did, it seemed to complete normally and return to AMTM menu) and then told it to install AB Solutions and told it to make a 512MB SWAP file and then during the check it said a -jffs format was pending and it failed the check and needed to reboot the router. So I told it to reboot. Now I don't know what to do. Is Skynet installed? How do I get the GUI for AMTM to show back up to finish installing AB Solutions?

I think I had never rebooted when I enabled JFFS on the router and then it formatted the JFFS partition when it rebooted, which probably erased whatver was done during the Skynet install routine, but there is still 500MB used on that USB stick so it made the SWAP file anyways.....

Sorry if this is the wrong thread but at this moment I am in a bad way and need a quick response as I am sorta stuck.....

Just re-run the installers if applicable, both Skynet and AB-Solution are smart enough to correct any issues with their respective installations.

 

[tomsk]

Hi Adamm, i just installed skynet and i have an issue with my syslog..... i'm using syslog-ng and kill the syslogd when it starts and create a link ln -s /opt/var/log/messages /tmp/syslog.log
.... Seems that skynet doesn't like this and the effect i see is the syslog-ng stops showing in the web GUI once skynet starts, although i see skynet happily working in the messages log in the /var/log folder in entware ....... i assume skynet can't get its stats with this condition either.... any workaround possible?

 

[Adamm]

Hi Adamm, i just installed skynet and i have an issue with my syslog..... i'm using syslog-ng and kill the syslogd when it starts and create a link ln -s /opt/var/log/messages /tmp/syslog.log
.... Seems that skynet doesn't like this and the effect i see is the syslog-ng stops showing in the web GUI once skynet starts, although i see skynet happily working in the messages log in the /var/log folder in entware ....... i assume skynet can't get its stats with this condition either.... any workaround possible?

Cant say I use syslog-ng myself, but the issue sounds like its with syslog-ng not Skynet. We access the file in a very standard way so I have a hard time seeing a point of failure on our end.

 

[Mutzli]

*EDIT2 Alright, that was it. My mistake was not rebooting the router after enabling JFFS in the router options, but before beginning to install anything. Thanks for the patience. I got it all done now. Sorry for the thread spam.

*EDIT Okay I completely started back over, formatted ext2 on the USB, re-installing AMTM from scratch. Think I will reboot after installing that and make sure it works before doing anything else but I am still stuck with "How do I call up the AMTM GUI once the reboot has occurred without running the install script again?

Okay I am stuck......formatted USB to ext2, with one primary partition using the entire 2GB. I then installed amtm and used it to install skynet (I think it did, it seemed to complete normally and return to AMTM menu) and then told it to install AB Solutions and told it to make a 512MB SWAP file and then during the check it said a -jffs format was pending and it failed the check and needed to reboot the router. So I told it to reboot. Now I don't know what to do. Is Skynet installed? How do I get the GUI for AMTM to show back up to finish installing AB Solutions?

I think I had never rebooted when I enabled JFFS on the router and then it formatted the JFFS partition when it rebooted, which probably erased whatver was done during the Skynet install routine, but there is still 500MB used on that USB stick so it made the SWAP file anyways.....

Sorry if this is the wrong thread but at this moment I am in a bad way and need a quick response as I am sorta stuck.....

Make sure you don't turn on 'Format JFFS partition at next boot' in the router menu. This will swipe all your data from the JFFS partition. Looks like you'll have to do it all over again.

 

[agilani]

Is there a recommendation on which country codes to block? I noticed a lot of random noise coming from RU ASN's so that's the only one i am outright blocking right now.

Also, what is skynet using for geoip lookup?

thanks!

 

[Tekneek]

Is there a recommendation on which country codes to block? I noticed a lot of random noise coming from RU ASN's so that's the only one i am outright blocking right now.

I used to block RU CN AF (Russia, China, Afghanistan).

 

[Adamm]

Is there a recommendation on which country codes to block? I noticed a lot of random noise coming from RU ASN's so that's the only one i am outright blocking right now.

Also, what is skynet using for geoip lookup?

thanks!

If you take a look at the firehol website they have a geo breakdown of every list which gives you a pretty good indication of hotzones. The only problem is you dont want to be too over zealous as with the modern internet legitimiate sites, CDN's and whatnot can be hosted basically anywhere.

Skynets country lists are based on data from IPDeny which is pretty much spot on for accuracy.