Skynet Skynet - Router Firewall & Security Enhancements

[eclp]

@MarCoMLXXV ... Thanks for the note and help, iTranslate works now as usual.

@Adamm ... Forgive me (noob) question - but it is useful / necessary to run the Skynet every hour?

 

[Adamm]

but it is useful / necessary to run the Skynet every hour?

Yes, every hour all its really doing is saving the current lists and printing current stats which has minimal impact on the router. IPSets are stored in ram, so if we didn't save them changes would be lost upon reboot / service restarts (this includes things like autobans).

 

[Spydawg]

Will this run on a RT-AC3100 with AB-Solution?

 

[Xentrk]

Will this run on a RT-AC3100 with AB-Solution?

Yes, it will work...ABS 3.9 especially plays nice in the sandbox with Skynet.

 

[Spydawg]

Thanks

 

[thelonelycoder]

Yes, it will work...ABS 3.9 especially plays nice in the sandbox with Skynet.

In a sandbox for adults.

 

[Viktor Jaep]

Thanks for your work on this! It's definitely a very useful add-on for my router, and love the name - hopefully it won't kill us... I had a couple of questions about current functionality, future development or features?

1.) Will you be enhancing the menuing in the future to make things a little more user friendly? (kinda like the magic that AB-Solution uses?)
2.) Is there a way to figure out which countries I have added to the country ban list?
3.) Is there a way to just remove one country without removing them all, and having to re-add them?
4.) Is there an easy way to find out if all lists are up-to-date? Or if I enabled the banmalware option in the past, to make sure it's still active?
5.) When autobans are issued, what causes an autoban, and are they saved in a table so that they survive a reboot?

Thank you!

 

[thelonelycoder]

While I would not go as far as requesting @Viktor Jaep's #1 suggestion for Skynet, I have one gripe with the current interactive menu: there's a 'disable' switch but the 'enable' is blaringly missing. It would make sense to add it.

 

[Adamm]

1.) Will you be enhancing the menuing in the future to make things a little more user friendly? (kinda like the magic that AB-Solution uses?)

I'm always open to suggestions

2.) Is there a way to figure out which countries I have added to the country ban list?

In the upcoming version (5.1) every ban will make use of the comment feature. So all country bans will be entered with the comment "Country: xx". I'll use this data to do just that in one way or another.

3.) Is there a way to just remove one country without removing them all, and having to re-add them?

No and this is somewhat done on purpose, every time the banmalware and ban country commands are used, Skynet will delete any old entries added by these commands. The reason for this is because these lists are dynamic and change every so often (in the case of banmalware its compiled from 29 unique lists with some getting updated every 30 minutes).

I may look into changing functionality on the ban country command to "remember" your previous entries, but no promises!

4.) Is there an easy way to find out if all lists are up-to-date? Or if I enabled the banmalware option in the past, to make sure it's still active?

Easy way? Not really. Technically its possible, every entry in filter.list has the time it was last updated in the header under "Source File Date". But there's almost guaranteed to be some sort of change in one of these lists every hour or so, so the functionality is not really worthwhile.

5.) When autobans are issued, what causes an autoban, and are they saved in a table so that they survive a reboot?

Anything with an INVALID packet state picked up by the routers built in SPI firewall (that isn't on HTTP(s) or mail ports), or anything that tries to brute force the SSH port.

While I would not go as far as requesting @Viktor Jaep's #1 suggestion for Skynet, I have one gripe with the current interactive menu: there's a 'disable' switch but the 'enable' is blaringly missing. It would make sense to add it.

There is an undocumented "start" command (which can be easily broken down by looking at the install function for anyone who loves to tinker), but I was running into the issue that users would run this manually causing Skynet to start up with incorrect boot args (not pointing to USB location etc) so I removed it to try prevent that from happening.

There is still the "debug restart" command which I recommend using after using disable.

 

[john9527]

In the upcoming version (5.1) every ban will make use of the comment feature.

Are you going to do a test to maintain backwards compatibility? It may be a while before it's generally available across the board.

@RMerlin - There are 8 commits for this support in my current repo.....all contain the string ipset_arm (7 with it at the beginning of the line, and one I messed up and listed it as kernel). Or I uploaded them to the 'patch' share I've used before to send you patches.

 

[Adamm]

Are you going to do a test to maintain backwards compatibility? It may be a while before it's generally available across the board.

I currently have a branch with these changes, there is a simple check in place so that Skynet won't start unless it detects the following which is only present in the new version;

/lib/modules/*/kernel/net/netfilter/ipset/ip_set_hash_ipmac.ko

That being said, backwards compatibility won't unfortunately be on the cards, but I will most likely tag a release before I merge the new branch when the features go live on both yours and RMerlins end.

 

[RMerlin]

@RMerlin - There are 8 commits for this support in my current repo.....all contain the string ipset_arm (7 with it at the beginning of the line, and one I messed up and listed it as kernel). Or I uploaded them to the 'patch' share I've used before to send you patches.

Thanks, I'll take a look.

 

[Martin_D]

I have just set skynet up on my router does it look ok

Router Model: Router-1
Skynet Version: v5.0.7 (21/07/2017)
iptables v1.4.14 - (eth0)
ipset v6.32, protocol version: 6
FW Version: 380.67_0 (Jul 16 2017)
Install Dir; /jffs (64.0M Space Available)
Boot Args; /jffs/scripts/firewall start banmalware autoupdate
Install Dir Writeable
Startup Entry Detected
Cronjobs Detected
Autobanning Enabled
Debug Mode Disabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
BlockedRanges IPTable Detected
Blacklist IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet: [Complete] 133456 IPs / 2243 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1 Inbound / 0 Outbound Connections Blocked! [2s]

 

[Adamm]

I have just set skynet up on my router does it look ok

Looks perfect to me

 

[criszz]

Installed yesterday, all looks good on my ac56u. Thank you for this superb work.

Router Model: Router-Cristi
Skynet Version: v5.0.7 (21/07/2017)
iptables v1.4.14 - (ppp0)
ipset v6.29, protocol version: 6
FW Version: 374.43_2-25E8j9527 (Jun 27 2017)
Install Dir; /jffs (64.0M Space Available)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate
Install Dir Writeable
Startup Entry Detected
Cronjobs Detected
Autobanning Enabled
Debug Mode Enabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
BlockedRanges IPTable Detected
Blacklist IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet: [Complete] 17 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 64 Inbound / 1137 Outbound Connections Blocked! [1s]

 

[Viktor Jaep]

I'm always open to suggestions

Really appreciate the feedback and reply, Adamm... looking forward to your next release! Keep up the great work!

 

[Bamsefar]

Hmmm....

I had to disable SkyNet - It was a bit like a open hole to my system from time to time. Hard to say why, but what I can say is that TOR blocking did not work, nor country blocking. It got to a point where I decided to reboot every night just to make damn sure I had a fresh everything so to speak. I would love to be able to share what is wrong, if I could only say what. My AC88 works now again with my old firewall extension solution (a very close version like the SkyNet just a bit more non-user-friendly. Anyway what triggered this was a number of events that slowed my network down, and all of a sudden a host named "AKILLES" (anyone with greak mythology in there mind, will figure out that I got hacked somehow) - which really does not exists in my own network....

I hope that I can - somehow - figure out what the h*ll happened - but for now, I will use my own old version to get this stable.

 

[Adamm]

I have now pushed Skynet v5.1.0

This will require MerlinWRT v380.68_alpha2 (or newer) or Johns Fork V26E3 (or newer). Here are some of the changes;

Halve required IPTables rules and calculations
Optimized whitelisting shared domains
Optimize sed commands
More accurate boot arg printing
Show ban reason when using ( stats search ip xxx.xxx.xxx.xxx )
Better IPSet save management to prevent accidental loss of blacklists
More accurate entry removal
Try prevent cases where Skynet loads too fast and manipulates IPTables rules before they are flushed for a second time via the router (TL;DR less startup problems)

And finally the big change is Skynet has been rewritten so all entries now support comments. Whenever Skynet adds entries to either a Black or Whitelist it will have a comment associated with where it came from (for manual entries this is user defined, the example command list will be updated accordingly). No more wondering why something is on your Whitelist or Blacklist!

To update, please first install MerlinWRT v380.68_alpha2 (or newer) or Johns Fork V26E3 (or newer). Then follow normal Skynet update procedure via using; ( sh /jffs/scripts/firewall update )


Note: If users wish to take full advantage of the new comment benefits, unfortunately there is no way to convert old entries. Skynet will try manually do this for banmalware and bancountry entries the next time the commands are run, unfortunately the rest will be left without comments. If you are in the position to and wish to take advantage of these features for all your entries, I suggest flushing your Whitelist and Blacklists after updating.

 

[TheUntouchable]

Installed and testing, thank you!

 

[john9527]

I have now pushed Skynet v5.1.0

This will require MerlinWRT v380.68_alpha2 (or newer).

If you are a user of my 374.43 LTS fork, this will also require release V26E3 or newer (supported on the AC56U or AC68U)
[Fork] Asuswrt-Merlin 374.43 LTS releases