Skynet Skynet - Router Firewall & Security Enhancements

[MarCoMLXXV]

Is anyone using this? I get the following error:

Skynet: [ERROR] 404 Error Detected - Stopping Import

Not using it myself, but when I enter

https://www.dan.me.uk/torlist/

I don't get a 404, but a list of IP-addresses. Not sure what the added

?exit

should do, as opening the full url

https://www.dan.me.uk/torlist/?exit

in my brower, returns a message:

Umm... You can only fetch the data every 30 minutes - sorry. It's pointless any faster as I only update every 30 minutes anyway.
If you keep trying to download this list too often, you may get blocked from accessing it completely.
(this is due to some people trying to download this list every minute!)

So either you've tried too many times and should retry in 30 minutes, or check for typos or hope you haven't been banned as mentioned in the messages above... I couldn't get a 404, but maybe that just the way Skynet handles errors, which can be answered by @Adamm.

What is this for list anyway, to satisfy my own curiousity?

 

[Adamm]

Is anyone using this? I get the following error:

Skynet: [ERROR] 404 Error Detected - Stopping Import

Yeah sorry thats my bad, I didn't realise that particular host has so much spam protection. Use this instead;

sh /jffs/scripts/firewall import https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1

What is this for list anyway, to satisfy my own curiousity?

To block TOR usage from my understanding (which malware uses for anonymity occasionally), but I personally don't bother. Each to their own

 

[gLWxSJeSsEA]

Thanks!

I actually use Tor occasionally, but it's through a VPN (VPN->Tor), so I figure there is no good reason for Tor exit traffic to directly contact my home router.

 

[MarCoMLXXV]

Yeah sorry thats my bad, I didn't realise that particular host has so much spam protection. Use this instead;

sh /jffs/scripts/firewall import https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1

Thanks for the clarification @Adamm. I read some more info regarding the list mentioned earlier (in the post where I responded to), which is apparantly updated every 30 minutes. Does the same apply to the url you posted? Would a single import suffice or do these 'Tornodes' change so frequently that it's better to add the command you posted to crontab for periodical (hourly, daily, or ...) importing?

 

[gLWxSJeSsEA]

Thanks for the clarification @Adamm. I read some more info regarding the list mentioned earlier (in the post where I responed to), which is apparantly updated every 30 minutes. Does the same apply to the url you posted? Would a single import suffice or do these 'Tornodes' change so frequently that it's better to add the command you posted to crontab for periodical (hourly, daily, or ...) importing?

The Torproject list contains all exit nodes that were active in the preceding 16h. Personally, I've set a daily cron job to update the blocklist, since Tor exits are quite volatile.

 

[MarCoMLXXV]

The Torproject list contains all exit nodes that were active in the preceding 16h. Personally, I've set a daily cron job to update the blocklist, since Tor exits are quite volatile.

So, if I wanted to import the list hourly with a cronjob, I would need something like this...

cru a  BlockTorNodes "0 * * * * sh /jffs/scripts/firewall import https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1"

and add it to crontab with a startup script?

To which startup script should I add it? To firewall-start preceeded with 

[code]
sleep 240

... to make sure Skynet is up and running?

Or would 45 * * * * be better, to prevent interference with the Skynet hourly firewall save?

(It's early here, so please feel free to correct me if none of this makes any sense. I'm still learning )

 

[Bamsefar]

Since I am the one suggesting "https://www.dan.me.uk/torlist/?exit" - I have no problem with it, however I do not update that list that frequent - I see no use for every hour. So anyone with that tight update schema, could you explain why I would need to update that list that often? Never mind that more or less no site updates the TOR lists that frequent...?

 

[Adamm]

So, if I wanted to import the list hourly with a cronjob, I would need something like this...

The list its-self is only updated every 16 hours at minimum, so once a day (or a week) would be more than sufficient.

To which startup script should I add it? To firewall-start preceeded with

Ideally you would want to put it in something like services-start, but the overhead is so minor you can just append it to firewall-start. To update every monday at 2:45am add only this line to the end of firewall-start;

cru a BlockTorNodes "45 2 * * 1 sh /jffs/scripts/firewall import https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1"

Since I am the one suggesting "https://www.dan.me.uk/torlist/?exit" - I have no problem with it, however I do not update that list that frequent - I see no use for every hour. So anyone with that tight update schema, could you explain why I would need to update that list that often? Never mind that more or less no site updates the TOR lists that frequent...?

The second list posted is maintained by the official TOR website so I assume its more accurate/updated. But I agree, there is definetely no need to pull the list at such frequent intervals, every few days at most I think would be more than sufficient.

 

[MarCoMLXXV]

Thanks gentlemen, I read in the description that the server replied with that it was automatically updated every 30 minutes, hence my hourly suggestion. But if daily will do just as well, I'll stick to that. The less frequent, the better.

 

[TheUntouchable]

Just a quick question:

Why can't I unban that IP or why is it blocked?

Top 10 Blocks (Outbound);
3795x https://otx.alienvault.com/indicator/ip/85.93.7.12

Unbanning 85.93.7.12
ipset v6.32: Element cannot be deleted from the set: it's not added
Saving Changes

EDIT: Okay I see, its a range not a IP:

85.93.7.12 is in set BlockedRanges.

So whitelisting is the right way..?

 

[Adamm]

Just a quick question:

Why can't I unban that IP or why is it blocked?

Top 10 Blocks (Outbound);
3795x https://otx.alienvault.com/indicator/ip/85.93.7.12

Unbanning 85.93.7.12
ipset v6.32: Element cannot be deleted from the set: it's not added
Saving Changes

If you do;

sh /jffs/scripts/firewall stats search ip 85.93.7.12

You will see;

85.93.7.12 is NOT in set Whitelist.
85.93.7.12 is NOT in set Blacklist.
85.93.7.12 is in set BlockedRanges.

So we can assume its not the single IP banned, but the range. So then we check;

sh /jffs/scripts/firewall stats search malware 85.93.7.12

Nothing... So lets expand our net to cover bigger subnets.

sh /jffs/scripts/firewall stats search malware 85.93.0.0

sh /jffs/scripts/firewall stats search malware 85.93.0.0

85.93.0.0/24 Found In https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_drop.netset
85.93.0.0/24 Possible CIDR Match In https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_drop.netset
85.93.0.0/18 Found In https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bbcan177_ms1.netset
85.93.0.0/18 Possible CIDR Match In https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bbcan177_ms1.netset
85.93.0.0/24 Found In https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_block.netset
85.93.0.0/24 Possible CIDR Match In https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/et_block.netset

Bingo, we found our culprit.

 

[TheUntouchable]

Yeah, I already found that out, but thanks a lot for that step by step guide
Funnily this is blocking an ntp server.. So I have to whitelist that address till its removed from the blocklist

 

[thelonelycoder]

Small typo at line 460, using ; instead of:
echo "Warning! This May Have Blocked Your Favorite Website. To Unblock It Use; ( sh $0 whitelist domain URL )"

 

[Bamsefar]

It's to bad one can not do this in the opposit direction: Block everything and then open up each and every IP / Domain / Country that I would like...

My current coutryblocklist is a bit large:

af al dz as ad ao ai ag ar am aw az bs bh bd bb by bz bj bm bt bo ba bw br io bn bg bf bi kh cm cv ky cf td cl cn co km cg cd ck cr ci hr cu cy cz dj dm do ec eg sv gq er ee et fo fj gf pf ga gm ge gh gi gl gd gp gu gt gn gw gy ht va hn hu is in id ir iq il jm je jo kz ke ki kp kr kw kw kg la lv lb ls lr ly lt mo mk mg mw my mv ml mt mh mq mr yt mx fm md mn me ms ma mz mm na nr np nc ni ne ng nu nf mp om pk pw ps pa pg py pe ph pl pr qa re ro ru rw kn lc pm vc ws sm st sa sn rs sc sl sg sk si sb so za lk sd sr sz sy tw tj tz th tl tg tk to tt tn tr tm tc tv ug ua ae uy uz vu ve vn vg vi wf ye zm zw

 

[thelonelycoder]

It's to bad one can not do this in the opposit direction: Block everything and then open up each and every IP / Domain / Country that I would like...

My current coutryblocklist is a bit large:

af al dz as ad ao ai ag ar am aw az bs bh bd bb by bz bj bm bt bo ba bw br io bn bg bf bi kh cm cv ky cf td cl cn co km cg cd ck cr ci hr cu cy cz dj dm do ec eg sv gq er ee et fo fj gf pf ga gm ge gh gi gl gd gp gu gt gn gw gy ht va hn hu is in id ir iq il jm je jo kz ke ki kp kr kw kw kg la lv lb ls lr ly lt mo mk mg mw my mv ml mt mh mq mr yt mx fm md mn me ms ma mz mm na nr np nc ni ne ng nu nf mp om pk pw ps pa pg py pe ph pl pr qa re ro ru rw kn lc pm vc ws sm st sa sn rs sc sl sg sk si sb so za lk sd sr sz sy tw tj tz th tl tg tk to tt tn tr tm tc tv ug ua ae uy uz vu ve vn vg vi wf ye zm zw

You are blocking 202 countries, it might indeed be simpler to only allow the few remaining ones
Glad to find ch is not part of it

 

[Henrik!]

I wonder if it would be possible to set up a notification when outbound connections is blocked?

 

[eclp]

First and again thanks for the great tool! Obviously, it works very well and error-free. Still, I still have a question. When Skynet is disabled "iTranslate" for iOS works perfect, it is activated iTranslate no longer works. How can I find out what I need to change in Skynet? This problem I had previously also with Martineau's version as well as with redhat27's script (both uninstalled).

Would be grateful for any help or idea.

 

[MarCoMLXXV]

First and again thanks for the great tool! Obviously, it works very well and error-free. Still, I still have a question. When Skynet is disabled "iTranslate" for iOS works perfect, it is activated iTranslate no longer works. How can I find out what I need to change in Skynet? This problem I had previously also with Martineau's version as well as with redhat27's script (both uninstalled).

Would be grateful for any help or idea.

To find out what IP is/are being blocked which prevent iTranslate from functioning, you'll need to follow the instructions in the 'Halp - BestApp.exe or BestWebsite.com Is Being Blocked;'-section in the first post. Try to minimize as much other network traffic as possible (no gaming kids etcetera) and the IP(s) you'll need to whitelist can be found (rather) easily. You'll only have to whitelist them once, after that iTranslate will work properly with Skynet activated.

 

[Adamm]

Some fun updates in the pipelines, working with john to debug/test some new IPSet features like the comment extension. Assuming all goes well, this means we will be able to add custom messages to each entry (and all automatic entries) and have a much easier time finding why/when IP's were added to each list. I have a few other ideas too so keep posted

 

[MarCoMLXXV]

Sounds promising! Curious to see what kind of magic you will bring us

Ps. While working with John could you remind him gently that I'm still hoping for his LTS fork to work with the later revisions of the RT-AC68U?