Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Skynet - Asus Firewall Addition (Dynamic Malware/Country/Manual IP Blocking)

Discussion in 'Asuswrt-Merlin' started by Adamm, Apr 16, 2014.

  1. skeal

    skeal Senior Member

    Joined:
    Apr 30, 2016
    Messages:
    304
    Location:
    Moose Jaw Saskatchewan Canada
    This is what it should look like after fresh skynet install.
     

    Attached Files:

  2. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    What is the output of the following;

    Code:
    ls /lib/modules/


    Yes, Skynet requires this setting and will force it to on.
     
  3. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,220
    Location:
    Canada
    That's the userspace part, which isn't included in Asuswrt. I just didn't have to apply any kernel patches since the modules were already in the kernel source tree.
     
  4. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    4,706
    Location:
    United States
    Ahhh...got it now :oops:

    So back to my previous post...probably some changes required...
     
  5. iManuB

    iManuB Occasional Visitor

    Joined:
    Apr 24, 2017
    Messages:
    36
    Thanks!

    Thanks, Adamm. I'll keep it ON!
    I did not think it would work with Skynet. Thanks again
     
    Adamm likes this.
  6. Raphie

    Raphie Occasional Visitor

    Joined:
    Sep 19, 2017
    Messages:
    27
    Here you go
    Code:
    ASUSWRT-Merlin RT-AC5300 380.68-4 Wed Oct  4 19:03:28 UTC 2017
    [email protected]:/tmp/home/root# ls /lib/modules/
    2.6.36.4brcmarm
    [email protected]:/tmp/home/root#
    
    So I need
     
  7. Jan Adelsson

    Jan Adelsson Occasional Visitor

    Joined:
    Oct 8, 2017
    Messages:
    10
    I have the same problem as Raphie.

    Code:
    ASUSWRT-Merlin RT-AC68U 380.68-4 Wed Oct  4 19:01:14 UTC 2017
    
    [email protected]:/tmp/home/root# ls /lib/modules/
    
    2.6.36.4brcmarm
    
    [email protected]:/tmp/home/root# sh /jffs/scripts/firewall install
    
    #!/bin/sh
    
    #############################################################################################################
    
    #         _____ _                     _           _____     #
    
    #       / ____| |                   | |         | ____|     #
    
    #       | (___ | | ___   _ _ __   ___| |_  __   _| |__      #
    
    #       \___ \| |/ / | | | '_ \ / _ \ __| \ \ / /___ \     #
    
    #       ____) |   <| |_| | | | |  __/ |_   \ V / ___) |     #
    
    #       |_____/|_|\_\\__, |_| |_|\___|\__|   \_/ |____/     #
    
    #                     __/ |                                 #
    
    #                   |___/                                  #
    
    #     #
    
    ## - 08/10/2017 -   Asus Firewall Addition By Adamm v5.2.3     #
    
    ##   https://github.com/Adamm00/IPSet_ASUS     #
    
    #############################################################################################################
    
    
    
    ##############################
    
    ###   Commands   ###
    
    ##############################
    
    #   "unban"     # <-- Remove From Blacklist (IP/Range/Domain/Port/Comment/Country/Malware/Autobans/Nomanual/All)
    
    #   "ban"     # <-- Adds Entry To Blacklist (IP/Range/Domain/Port/Country)
    
    #   "banmalware"     # <-- Bans Various Malware Domains
    
    #   "whitelist"        # <-- Add Entry To Whitelist (IP/Range/Domain/Port/Remove/Refresh/List)
    
    #   "import"     # <-- Bans All IPs From URL
    
    #   "deport"     # <-- Unbans All IPs From URL
    
    #   "save"     # <-- Save Blacklists To ipset.txt
    
    #   "disable"     # <-- Disable Firewall
    
    #   "update"     # <-- Update Script To Latest Version (check github for changes)
    
    #   "debug"     # <-- Debug Features (Restart/Disable/Watch/Info)
    
    #   "stats"     # <-- Show/Search Stats Of Banned IPs (Requires debugging enabled)
    
    #   "install"          # <-- Install Script (Or Change Boot Args)
    
    #   "uninstall"        # <-- Uninstall All Traces Of Skynet
    
    ##############################
    
    
    Skynet: [ERROR] IPSet Extensions Not Enabled - Please Update To 380.68 / V26E3 Or Newer Firmware
    
    [email protected]:/tmp/home/root#
     
     
    Last edited: Oct 8, 2017
  8. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    Sorry silly mistake on my end, I used "or" instead of "and" in my installer code, I pushed a fix.
     
    Jan Adelsson and alexandro like this.
  9. Butterfly Bones

    Butterfly Bones Occasional Visitor

    Joined:
    Apr 10, 2017
    Messages:
    38
    I've been watching Skynet closely learning and checking what gets blocked and banned to educate myself. (I'm an old guy with no computer pro background, all self taught. In my life I was mid-30's before anyone had home computers.)

    I've seen two or three updates as you tweak and fix things (thank you very much) but this seems odd behavior that is not consistent between three different views. I'm up to date.
    09/10/2017 - Asus Firewall Addition By Adamm v5.2.4

    Most of the time I have a terminal open using "firewall debug watch" to see. Over a couple hours nothing showed in that terminal.
    Code:
    Watching Logs For Debug Entries (ctrl +c) To Stop
    ^C
    During that time period of about two hours these showed in the router syslog:
    Code:
    Oct  8 17:56:01 Skynet: [Complete] 571 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 19 Inbound / 17 Outbound Connections Blocked! [4s]
    Oct  8 18:00:01 Skynet: [Complete] 572 IPs / 0 Ranges Banned. 1 New IPs / 0 New Ranges Banned. 19 Inbound / 17 Outbound Connections Blocked! [1s]
    Then I ran "firewall stats" in the terminal and found these new entries during the time period.
    Code:
    Last 10 Autobans;
    
    https://otx.alienvault.com/indicator/ip/72.166.126.32
    https://otx.alienvault.com/indicator/ip/23.215.102.137
    https://otx.alienvault.com/indicator/ip/23.215.102.163
    I've been checking these three view since I installed Skynet on my AC-68U five days ago, and all showed the same items banned or blocked if I remember, but with the update today to v.5.2.4 I see the above. Am I not remembering correctly on these views or is something changed?
     
  10. Raphie

    Raphie Occasional Visitor

    Joined:
    Sep 19, 2017
    Messages:
    27
    Works. Ow ThnX!
    I had to install a 2nd time enabling debugging for “stats” to work, (I missread) will these logs be periodically cleaned? Or will they just grow into eternity?

    Curious to see who’s reaching out to me :)
    Just to be clear, this tool will not gradually shut down regular traffic initiated by family surfing behaviour, bittorrent etc? So that with every wan port connection the wan IP gets autobanned? It’s really only unsollicited port scan attemps correct?
     
  11. Raphie

    Raphie Occasional Visitor

    Joined:
    Sep 19, 2017
    Messages:
    27
    things look ok now I think?

    just no autobans yet
    Code:
    Router Model; RT-AC5300
    Skynet Version; v5.2.4 (09/10/2017)
    iptables v1.4.14 - (eth0)
    ipset v6.32, protocol version: 6
    FW Version; 380.68_4 (Oct 4 2017)
    Install Dir; /tmp/mnt/AB-Solution/skynet (963.7M Space Available)
    Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/AB-Solution
    Install Dir Writeable
    Startup Entry Detected
    No Lock File Found
    Cronjobs Detected
    IPSet Supports Comments
    Level 5 Messages Will Be Logged
    Autobanning Enabled
    Debug Mode Enabled
    No Duplicate Rules Detected In RAW
    No Duplicate Rules Detected In FILTER
    Whitelist IPTable Detected
    Skynet IPTable Detected
    Whitelist IPSet Detected
    BlockedRanges IPSet Detected
    Blacklist IPSet Detected
    Skynet IPSet Detected
    Skynet: [Complete] 0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [2s]
    [email protected]:/tmp/home/root#
    
     
  12. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    Overall functionality hasn't changed in months.

    Those logging entries will show every time you run a command or at the top of each hour on a cronjob.

    This script will block all traffic specified on the blacklists. The autobans mainly consist of port-scan attempts.

    Looks like everything is working perfect :p
     
  13. Raphie

    Raphie Occasional Visitor

    Joined:
    Sep 19, 2017
    Messages:
    27
    Thank you Adamm, appreciate the hard work and long time spend on developing and supporting this.
     
    Adamm likes this.
  14. Butterfly Bones

    Butterfly Bones Occasional Visitor

    Joined:
    Apr 10, 2017
    Messages:
    38
    Thank you for the reply. I understand both these points which is why I went into so much detail above.

    tl;dr question is why bans show in
    Code:
    sh /jffs/scripts/firewall stats
    but not while running
    Code:
    sh /jffs/scripts/firewall debug watch
     
  15. Jan Adelsson

    Jan Adelsson Occasional Visitor

    Joined:
    Oct 8, 2017
    Messages:
    10
    Thankyou.
     
  16. iManuB

    iManuB Occasional Visitor

    Joined:
    Apr 24, 2017
    Messages:
    36
    I installed Skynet on a dedicated partition (in my 4gb usb key).
    I left firewall enabled by gui.

    Code:
    Router Model; RT-AC3200
    Skynet Version; v5.2.4 (09/10/2017)
    iptables v1.4.14 - (ppp0)
    ipset v6.32, protocol version: 6
    FW Version; 380.68_4 (Oct 4 2017)
    Install Dir; /tmp/mnt/Skynet/skynet (1.2G Space Available)
    Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt          /Skynet
    Install Dir Writeable
    Startup Entry Detected
    No Lock File Found
    Cronjobs Detected
    IPSet Supports Comments
    Level 5 Messages Will Be Logged
    Autobanning Enabled
    Debug Mode Enabled
    No Duplicate Rules Detected In RAW
    No Duplicate Rules Detected In FILTER
    Whitelist IPTable Detected
    Skynet IPTable Detected
    Whitelist IPSet Detected
    BlockedRanges IPSet Detected
    Blacklist IPSet Detected
    Skynet IPSet Detected
    Skynet: [Complete] 160953 IPs / 2089 Ranges Banned. 0 New IPs / 0 New Ranges Ban         ned. 48 Inbound / 0 Outbound Connections Blocked! [3s]
    I think it's okay, right?
    Thanks so much!
     
  17. yk101

    yk101 Regular Contributor

    Joined:
    Apr 14, 2017
    Messages:
    129
    Looks good!
     
  18. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779

    Running the watch command "purges" the logs as it is run, so it was probably then the log was cleared.

    Yes looks fine
     
    Butterfly Bones likes this.
  19. Butterfly Bones

    Butterfly Bones Occasional Visitor

    Joined:
    Apr 10, 2017
    Messages:
    38
    Ah ha. Thank you. I read about 30 pages of this thread yesterday, I do remember seeing that earlier in the thread. So much to learn. :oops:
     
    Adamm likes this.
  20. iManuB

    iManuB Occasional Visitor

    Joined:
    Apr 24, 2017
    Messages:
    36
    Thanks so much! :D
     
    Adamm likes this.

Share This Page