What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Which website did you choose to curl for geoip data? There’s a bunch of them out there. I’ve seen a few shutdown and some others spring up. I stopped using them after someone online pointed out the risk of curl-ing any site, especially obscure ones, because they could send back malicious script and you’d never realise it. What’s your take on this?
Edit: using the maxmind geoip database obviously would allow it to be done speedily without internet or potential security vulnerabilities of curling a third party site. Plus they have lookup limits and block you if you hammer them.
With a little push from insomnia and bordem, I looked into this a-little further. I was able to achieve the desired result without a third party binary/database, but it came at a pretty extensive performance cost.

hXww5Vq.png


The problem is to-do this it requires a curl request for every listed entry. With the stat page this can mean hundreds of requests, which are slooooooooow. The best case scenario here increased total runtime on my AC86U from 6s => 20s which personally I don't find a good trade off. I'll see if adding this information makes sense in smaller use cases (individual ip lookup etc), but on the stat page as a whole it just not worth it right now.
 
Last edited:
I stopped using them after someone online pointed out the risk of curl-ing any site, especially obscure ones, because they could send back malicious script and you’d never realise it. What’s your take on this?

What your referring to I believe is curl’ing a script then executing it via a pipe as you have no chance to review what you just downloaded.

In this case all we are doing is essentially getting the plaintext version of a webpage and displaying the contents, at no time is there any sort of execution even in the highly unlikely scenario the URL was compromised.
 
Edit: using the maxmind geoip database obviously would allow it to be done speedily without internet or potential security vulnerabilities of curling a third party site. Plus they have lookup limits and block you if you hammer them.

In an ideal world having a local copy of the database and querying it would be the best solution. But todo so would require use of either a third party binary or having to use their ruby/python api which as you can imagine adds significiant overhead on an embedded device and add a whole bunch of additional requirements and upkeep. I personally believe it doesn’t make sense in the scope of this project.
 
I agree..

The scope of this project should be limited to saving structured logs that something else can pick up and run with...

Any old PC running Linux would probably do an amazing job.

Sent from my SM-G965F using Tapatalk
 
Newbie question (for my clarification).
Am I correct with the following : Any router with no open ports and no port forwarding would stop all remote wan traffic from coming into a router (ignoring exploits) except traffic that was 'requested' from inside the lan.

After installing skynet, and using a block list, and maybe a country block or two, I see many periodic syslog 'BLOCKED INCOMING' messages - are they generic ones that would have been blocked anyway as they did not originate from inside the lan, or are they only ones that skynet blocks ?

I understand the blocked outgoing ones are deff skynet, as that is a rogue process/device inside the lan trying to connect to wan IP's that are no longer allowed.

Thanks.
 
Try using the swap utilities built into Skynet, it _should_ be smart enough to figure it out. If not report back here with the output.

I tried deleting the path but as you can see it won't delete:

8vB07N3.png
 
I tried deleting the path but as you can see it won't delete:

That’s a funny looking Skynet :p. Please try with Skynet, that way I know exactly what’s going on based on the output.
 
That’s a funny looking Skynet :p. Please try with Skynet, that way I know exactly what’s going on based on the output.

Oh, oops lol
 
Newbie question (for my clarification).
Am I correct with the following : Any router with no open ports and no port forwarding would stop all remote wan traffic from coming into a router (ignoring exploits) except traffic that was 'requested' from inside the lan.

After installing skynet, and using a block list, and maybe a country block or two, I see many periodic syslog 'BLOCKED INCOMING' messages - are they generic ones that would have been blocked anyway as they did not originate from inside the lan, or are they only ones that skynet blocks ?

I understand the blocked outgoing ones are deff skynet, as that is a rogue process/device inside the lan trying to connect to wan IP's that are no longer allowed.

Thanks.

Bit of an open ended question, a router can respond in a number of ways depending on the request and rules in place. Packets can be dropped, rejected, marked invalid or in the event a service is exposed give some sort of reply exposing a potential attack surface.

The modern internet has a lot of background noise, with a large majority being bots constantly probing for vulnerable devices. So all those blocked incoming packets are generally this. Skynet drops the connection at the earliest possible point.

As for the outgoing blocks, they are connections initiated from your lan.
 
Thanks Adamm, Been spending a bit of time on the analysis of the logs.
I have blocked countries ru kr kp ir cn.
My stats show tons of outgoing blocks to loads of pool.ntp.org IP's. I assume these are from blocked countries and I can whitelist this domain ? :

12x https://otx.alienvault.com/indicator/ip/203.217.204.135 - [asia.pool.ntp.org pool.ntp.org]
11x https://otx.alienvault.com/indicator/ip/211.233.84.186 - [pool.ntp.org]
11x https://otx.alienvault.com/indicator/ip/211.233.40.78 - [pool.ntp.org]
7x https://otx.alienvault.com/indicator/ip/185.105.186.198 - [pool.ntp.org]
5x https://otx.alienvault.com/indicator/ip/195.78.244.50 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/91.198.10.4 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/85.21.78.23 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/80.240.216.155 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/79.142.192.4 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/195.210.189.106 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/193.27.209.211 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/193.27.209.20 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/185.103.110.248 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/144.217.181.221 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/94.247.111.10 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/91.218.89.74 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/89.221.207.113 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/89.175.20.7 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/85.93.216.115 - [pool.ntp.org]
1x http://otx.alienvault.com/indicator/ip/85.21.78.91 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/79.142.192.130 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/78.140.251.2 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/46.173.6.142 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/195.78.244.34 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/193.27.208.100 - [pool.ntp.org]
 
Not sure if it helps anyone else, i am blocking

cn ru vn ua br kp

Only the brazil block causes me any issues thus far. I see microsoft traffic being dropped, but so far its had no visible effect on functionality that i can pin down.

These are some of the top offenders according abuseipdb

https://www.abuseipdb.com/statistics

I may try to block France, India, and Indonesia next.
 
A thing of absolute beauty - thank you @Adamm !
155808 IPs (+0) -- 1773 Ranges Banned (+0) || 2227 Inbound -- 2123 Outbound Connections Blocked!
 
I would whitelist pool.ntp.org domains because they are the time servers your devices (and router) sync their clock with. Not malicious at all.

Thanks Adamm, Been spending a bit of time on the analysis of the logs.
I have blocked countries ru kr kp ir cn.
My stats show tons of outgoing blocks to loads of pool.ntp.org IP's. I assume these are from blocked countries and I can whitelist this domain ? :

12x https://otx.alienvault.com/indicator/ip/203.217.204.135 - [asia.pool.ntp.org pool.ntp.org]
11x https://otx.alienvault.com/indicator/ip/211.233.84.186 - [pool.ntp.org]
11x https://otx.alienvault.com/indicator/ip/211.233.40.78 - [pool.ntp.org]
7x https://otx.alienvault.com/indicator/ip/185.105.186.198 - [pool.ntp.org]
5x https://otx.alienvault.com/indicator/ip/195.78.244.50 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/91.198.10.4 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/85.21.78.23 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/80.240.216.155 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/79.142.192.4 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/195.210.189.106 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/193.27.209.211 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/193.27.209.20 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/185.103.110.248 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/144.217.181.221 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/94.247.111.10 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/91.218.89.74 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/89.221.207.113 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/89.175.20.7 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/85.93.216.115 - [pool.ntp.org]
1x http://otx.alienvault.com/indicator/ip/85.21.78.91 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/79.142.192.130 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/78.140.251.2 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/46.173.6.142 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/195.78.244.34 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/193.27.208.100 - [pool.ntp.org]
 
Is there a way to tell the Skynet is running? I tried to set ban some countries but got a message that Skynet was not running. On a router reboot, is there an autostart script somewhere that should have run but maybe did not?
 
Is there a way to tell the Skynet is running? I tried to set ban some countries but got a message that Skynet was not running. On a router reboot, is there an autostart script somewhere that should have run but maybe did not?

Please post the output of;

Code:
sh /jffs/scripts/firewall debug info
 
Is there a way to tell the Skynet is running? I tried to set ban some countries but got a message that Skynet was not running. On a router reboot, is there an autostart script somewhere that should have run but maybe did not?

Also, how can I tell if the countries I am trying to block really are blocked? Will they show up in the blacklist list?
 
Also, how can I tell if the countries I am trying to block really are blocked? Will they show up in the blacklist list?

They will show up in the command above and I will also be able to use the output to diagnose your situation.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top