Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Skynet - Asus Firewall Addition (Dynamic Malware/Country/Manual IP Blocking)

Discussion in 'Asuswrt-Merlin' started by Adamm, Apr 16, 2014.

  1. Raphie

    Raphie Occasional Visitor

    Joined:
    Sep 19, 2017
    Messages:
    27
    hehehe :p seems to work then :D

    Skynet: [Complete] 161774 IPs / 2120 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 163 Inbound / 74 Outbound Connections Blocked! [2s]
    [email protected]:/tmp/home/root#
     
    Adamm likes this.
  2. Laserpaddy

    Laserpaddy Occasional Visitor

    Joined:
    Aug 19, 2016
    Messages:
    14
    mines fine as well
    Oct 10 06:52:17 Skynet: [INFO] Startup Initiated... ( banmalware autoupdate )
    Oct 10 06:52:30 Skynet: [INFO] Lock File Detected (start banmalware autoupdate) (pid=4943) - Exiting
    Oct 10 06:53:04 Skynet: [Complete] 164942 IPs / 7677 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [47s]
    Oct 10 06:57:23 Skynet: [INFO] Skynet Up To Date - v5.2.4
    Oct 10 13:00:08 Skynet: [Complete] 164942 IPs / 7677 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 7 Outbound Connections Blocked! [8s]

    have to reinstall to enable debugging- I fat fingered the install darnit....thank you for this
     
  3. Laserpaddy

    Laserpaddy Occasional Visitor

    Joined:
    Aug 19, 2016
    Messages:
    14
    wow
    Oct 10 06:52:17 Skynet: [INFO] Startup Initiated... ( banmalware autoupdate )
    Oct 10 06:52:30 Skynet: [INFO] Lock File Detected (start banmalware autoupdate) (pid=4943) - Exiting
    Oct 10 06:53:04 Skynet: [Complete] 164942 IPs / 7677 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [47s]
    Oct 10 06:57:23 Skynet: [INFO] Skynet Up To Date - v5.2.4
    Oct 10 13:00:08 Skynet: [Complete] 164942 IPs / 7677 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 7 Outbound Connections Blocked! [8s]
    Oct 10 07:20:17 Skynet: [Complete] 164839 IPs / 7665 Ranges Banned. -103 New IPs / -12 New Ranges Banned. 0 Inbound / 154 Outbound Connections Blocked! [77s]
     
    Raphie likes this.
  4. Raphie

    Raphie Occasional Visitor

    Joined:
    Sep 19, 2017
    Messages:
    27
    Indeed wow, the crap it finds and blocks, amazing!
    Adamm where can i find txt log files to see what has been blocked?
     
  5. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779

    The raw data is copied into skynet.txt

    But Skynet phrases this information in a much less overwhelming way using the stat commands you can find detailed in the first post.
     
  6. Laserpaddy

    Laserpaddy Occasional Visitor

    Joined:
    Aug 19, 2016
    Messages:
    14
    I can install the ab program on the same usb ?
     
  7. Raphie

    Raphie Occasional Visitor

    Joined:
    Sep 19, 2017
    Messages:
    27
    ThnX Adamm, speedguide.net and otx.alienvault.com seem to be the biggest offenders, over tons of different IP's
    Any idea what is causing this? do I have any apps in the household triggering these "services" ;)?
     
  8. thelonelycoder

    thelonelycoder Part of the Furniture

    Joined:
    Jan 23, 2014
    Messages:
    3,065
    Location:
    In the heart of Switzerland
    Of course, they work well with each other.
     
  9. Laserpaddy

    Laserpaddy Occasional Visitor

    Joined:
    Aug 19, 2016
    Messages:
    14
    I have the exact same thing
     
  10. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779

    These are actually just generated URLs to a lookup service for the actual offending IP's. The IP/port at the end are the real offenders.
     
  11. Builder71

    Builder71 Senior Member

    Joined:
    Oct 14, 2012
    Messages:
    481
    Location:
    The Netherlands
    Do you have this script running on a RT-N66U?
    To my understanding this will not work because of old Ipset version. (v4)
     
  12. iManuB

    iManuB Occasional Visitor

    Joined:
    Apr 24, 2017
    Messages:
    36
    No, I took the picture over the internet.
    I've only RT-AC3200 :)
     
  13. Jan Adelsson

    Jan Adelsson Occasional Visitor

    Joined:
    Oct 8, 2017
    Messages:
    10
    I have PIA (Private Internet Access) VPN and Skynet does not play well with it. Even if i unban the IPs as it is suggested in post no:2, my connection gets disconnected all the time.
    So i had no other way but to uninstall Skynet.
    Is there a way to go around this?
     
    Last edited: Oct 11, 2017
  14. Butterfly Bones

    Butterfly Bones Occasional Visitor

    Joined:
    Apr 10, 2017
    Messages:
    38
    I have a VPN running 24/7 and have no serious issues using Skynet.

    One time I did have to whitelist a VPN server after a timeout changed me to a new one, but that is the only one I have found. That server was configured wrong when I contacted my VPN provider and they made a change. That IP showed me in Russia using the Geolocation Detection shown in ipleak.net. :eek:

    I'm in central California and use their servers in LA about 200 miles away, yet my geolocation currently shows me in Washington state, which is fine with me! Google shows me that as well using Google local news. ;)
     
  15. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    I did my best to support VPNs thanks to Astril giving me a developer account. Every time Skynet is started or the firewall_restart event is called the VPN whitelist is refreshed.

    If there's another user-script I can hook into whenever the VPN IP changes I'll definitely go that route. But I'm not sure such a thing exists. A temporary solution would be to disable autobanning. I will look into this further over the coming days and see if theres anything else I can do.

    If they provide all their VPN ranges you could whitelist them manually.
     
    Butterfly Bones likes this.
  16. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    4,706
    Location:
    United States
    It's passed as an environment variable to the vpn route-up script. Because it's a shell environment it's not saved, but we could probably write it to a file or nvram if the user is using policy routing.
     
    Butterfly Bones likes this.
  17. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    I see some documentation on "openvpn-event"


    Could that possibly cover it too?
     
  18. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    4,706
    Location:
    United States
    Yes and no......openvpn-event is called for EVERY transition/event of both the client and server. Part of what I had put together in user scripts was a framework that determined why it was called and by who....for example vpnclient1-route-up. You could use openvpn-event if you did the same thing (and didn't break the previously mentioned framework :) )

    The other alternative would be saving it in vpnrouting.sh (part of the firmware) that you could then query.
     
    Adamm likes this.
  19. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    Okay thanks for the heads up, haven't gone too in-depth with the whole VPN side of things so will make that my mission for the next few days and put something together.

    @Jan Adelsson I'll put together a basic update shortly that should alleviate some of your issues (along with a command to forcefully update the VPN white-list). So keep an eye out
     
  20. Jan Adelsson

    Jan Adelsson Occasional Visitor

    Joined:
    Oct 8, 2017
    Messages:
    10
    Thanks man. Cant wait for it.
     

Share This Page