Skynet Skynet - Router Firewall & Security Enhancements

[2992]

I had similar problems at one point, the solution I came up with was a bit of a kludge - I'm sure there's a more elegant way to tell the router not to use dnscrypt-proxy - but it worked. I'm pretty certain this is what I did, but it was a while ago now so apologies in advance if doesn't work:
I downloaded the raw installer script from github on my phone (path as above), copied it from the phone to my PC over USB, then uploaded it from the PC to the router's /jffs/scripts folder via WinSCP. Marked it as executable then ran the installer via ssh:

sh /jffs/scripts/installer

I think this would enable you to uninstall.

After having the router switched off for a few days, I've stared it and I was about to try that. When I have started the router, by chance or magic, I've got connectivity on it. However, the DNSCrypt was still not starting from AMTM. But, I've (forced) reinstalled AMTM, Diversion and Skynet, and after a reboot, the DNSCrypt menu has shown. I've reinstalled it, and after another reboot, everything is back to normal. Thank you all for sharing ideas!

 

[martinr]

After having the router switched off for a few days, I've stared it and I was about to try that. When I have started the router, by chance or magic, I've got connectivity on it. However, the DNSCrypt was still not starting from AMTM. But, I've (forced) reinstalled AMTM, Diversion and Skynet, and after a reboot, the DNSCrypt menu has shown. I've reinstalled it, and after another reboot, everything is back to normal. Thank you all for sharing ideas!

Glad you got it going without drastic reset action.
I know what you mean “as if by magic”. So are you still running DNSCrypt or have you disabled it?

 

[elorimer]

As pointed out, unfortunately we are stuck with limited stock binaries so options like "--follow-symlinks" are unavailable for sed, along with additional configuration for syslog. So there is no way for Skynet to avoid this issue.

Got it. I'll add a chron job to restore the link after Skynet runs.

Out of noob curiosity, what is this sed command doing?

sed -i "\\~USER $(nvram get http_username) pid .*/jffs/scripts/firewall ~d" /tmp/syslog.log

In my case reading /opt/var/log/messages, deleting something, and destructively writing the result to /tmp/syslog.log? In my case the result is to write out something that existed when skynet first starts.

 

[Adamm]

Got it. I'll add a chron job to restore the link after Skynet runs.

Out of noob curiosity, what is this sed command doing?

sed -i "\\~USER $(nvram get http_username) pid .*/jffs/scripts/firewall ~d" /tmp/syslog.log

In my case reading /opt/var/log/messages, deleting something, and destructively writing the result to /tmp/syslog.log? In my case the result is to write out something that existed when skynet first starts.

It removes the cronjob print from syslog generated by the hourly save command. Skynet prints enough to syslog as it is, so I avoid extra logging when unnecessary.

 

[Butterfly Bones]

Luckily I didnt loose all connectivity to the router. I was ablle to SSH in and uninstall DNScrypt. Then reinstall Skynet. So things seem to be fine with Skynet again.

I do have these three outbound blocks appearing in in my syslog over and over. Appears to be to a ASUS webstorage IP address. I have never used or configured webstorage on my router. Any other reason why I am seeing these? How to stop these?



Update

I temporarily disabled Skynet and then restarted it. The blocks on the ip addresses to Asus Webstorage have stopped.

Yeah, I had the same outbound block issue on initial update to 6.6.6 - The Beast brought my AC86U to its knees and in a day, me with it. I was getting my ISP assigned IP blocked trying to reach that asuscloud IP blocked at least once and up to three times / second!

Jan  9 09:36:34 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=71.93.53.239 DST=210.65.113.169
Jan  9 09:36:35 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=71.93.53.239 DST=210.65.113.169
Jan  9 09:36:35 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=71.93.53.239 DST=210.65.113.169
Jan  9 09:36:36 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=71.93.53.239 DST=210.65.113.169

I investigated and found this, though it was no help.
https://otx.alienvault.com/indicator/ip/210.65.113.169
https://whois.domaintools.com/210.65.113.169

xxx@RT-AC86U-XXXX:/tmp/home/root# firewall stats search malware 210.65.113.169
=============================================================================================================
[i] Debug Data Detected in /tmp/mnt/SNB/skynet/skynet.log - 6.9M
[i] Monitoring From Jan 3 05:00:11 To Jan 9 09:30:11
[i] 25943 Block Events Detected
[i] 5201 Unique IPs
[i] 13 Manual Bans Issued
Associated Domain(s);
aae-spweb-vx.a.asuscloud.com
=============================================================================================================
Exact Matches;
--------------       | ---------                              
| IP Address |       | | List |                              
--------------       | ---------                              
Possible CIDR Matches;
--------------       | ---------                              
| IP Address |       | | List |                              
--------------       | ---------                              
=============================================================================================================
[#] 156496 IPs (+0) -- 29400 Ranges Banned (+0) || 241 Inbound -- 238970 Outbound Connections Blocked! [stats] ]

My UI would freeze and even an SSH reboot or halt then restart would not solve it. I eventually used my backup AC68U to run my network for a few days while I completely redid my AC86U. I never could solve it until the first hotfix for 6.6.6 resolved the outbound blocking chaos, after forcing an update while trying to solve wtf was going on.....

 

[Adamm]

I never could solve it until the first hotfix for 6.6.6 resolved the outbound blocking chaos, after forcing an update while trying to solve wtf was going on.....

If you are referring to this fix, I apologize for the inconvenience caused.

Generally I am quite thorough in testing updates, but there currently is a bug with the AX88U which I use as my dev device where a large portion of AiProtect logs are not kept. So based on the information available at the time (plus me being naive assuming trend micro didn't stupidly store mixed data in a database table) the update should have worked as expected

The upside is Skynet has even more fail-safe's built in to prevent this happening in the future.


And lets face it, with a version number like v6.6.6 something bad was bound to happen

 

[2992]

Glad you got it going without drastic reset action.
I know what you mean “as if by magic”. So are you still running DNSCrypt or have you disabled it?

yep, still running DNSCrypt.
I have no plans to run this router without any of these: Diversion, Skynet, OpenVPN client, and DNSCrypt. Besides these 4, I think there is nothing else to run anyways.

 

[Butterfly Bones]

If you are referring to this fix, I apologize for the inconvenience caused.

Generally I am quite thorough in testing updates, but there currently is a bug with the AX88U which I use as my dev device where a large portion of AiProtect logs are not kept. So based on the information available at the time (plus me being naive assuming trend micro didn't stupidly store mixed data in a database table) the update should have worked as expected

The upside is Skynet has even more fail-safe's built in to prevent this happening in the future.


And lets face it, with a version number like v6.6.6 something bad was bound to happen

I don't think that was it at all, just some weird coincidence. I do not use AiProtect or any TrendMicro features. Here is the output of the sqlite query:

xxxx@RT-AC86U-XXXX:/tmp/home/root# sqlite3 /jffs/.sys/AiProtectionMonitor/AiProtectionMonitor.db "SELECT
dst FROM monitor;" | awk '!x[$0]++'
-sh: sqlite3: not found

I doubt it was actually anything in your code, there are some quirks in the AC86U after trying some things, and having no success. Syslog-ng (as explained by elorimer above), DNSCrypt, and there is a weird reboot bug that actually causes a shutdown.

 

[martinr]

yep, still running DNSCrypt.
I have no plans to run this router without any of these: Diversion, Skynet, OpenVPN client, and DNSCrypt. Besides these 4, I think there is nothing else to run anyways.

Pixelserv-tls?

Be interested to know if that DNSCrypt glitch ever reappears. Keep that magic wand handy.

 

[Adamm]

I doubt it was actually anything in your code, there are some quirks in the AC86U after trying some things, and having no success. Syslog-ng (as explained by elorimer above), DNSCrypt, and there is a weird reboot bug that actually causes a shutdown.

In that case, I take back everything I said.

I regret nothing!

 

[2992]

Pixelserv-tls?

Be interested to know if that DNSCrypt glitch ever reappears. Keep that magic wand handy.

Pixelserv-tls is basically part of Diversion (if I am not mistaking).
I'll post here in case DNSCrypt will play dirty games again. So far, everything is good.

Just want to make a note: Skynet is running extremely nice now and since quite some time in fact. I remember about a year ago or so, I had quite some issue with it (partially related to the USB stick and the swap partition, partially with some other settings), but since then Skynet and everything else on this router is running great! Thanks @Adamm & @thelonelycoder for these great tools!

 

[avi68]

Hi all,

Ive been reading up on Skynet firewall and I have a question, whats the main difference between this firewall and the firewall thats already on the router? Is it just the same firewall but with more control e.g. blocking specific ip addresses? I am mostly interested in the malware defender side of it, does the standard firewall do that or will I need skynet to keep me protected?

I tried to install skynet last night on my ac68u, formatted a 2gb usb stick to ext4 and then followed the instructions but after about 2 hours I started to get errors in my system log. The kernel was reporting a io error? Dont know if you've seen this before?

Also my system log was flooded by blocking messages from the kernel, I realised that the dropped packets option under the firewall was active which was giving me these errors. Once I set it to report none under the firewall menu it would automatically set itself back to dropped packets and continue to fill the log. Is this normal?

I tried to disable debugging under the skynet menu but then I was not getting any information under the stats?

Sorry for all the n00by questions,

Thanks

 

[Zonkd]

Hi all,

Ive been reading up on Skynet firewall and I have a question, whats the main difference between this firewall and the firewall thats already on the router? Is it just the same firewall but with more control e.g. blocking specific ip addresses? I am mostly interested in the malware defender side of it, does the standard firewall do that or will I need skynet to keep me protected?

I tried to install skynet last night on my ac68u, formatted a 2gb usb stick to ext4 and then followed the instructions but after about 2 hours I started to get errors in my system log. The kernel was reporting a io error? Dont know if you've seen this before?

Also my system log was flooded by blocking messages from the kernel, I realised that the dropped packets option under the firewall was active which was giving me these errors. Once I set it to report none under the firewall menu it would automatically set itself back to dropped packets and continue to fill the log. Is this normal?

I tried to disable debugging under the skynet menu but then I was not getting any information under the stats?

Sorry for all the n00by questions,

Thanks

Sky net lets you load iptable rules into the built-in firewall telling it what IP addresses or ranges to block or allow for both inbound outbound connections. It’s not a replacement for the firewall. IF you disable system logging then skynet can’t collect stats.

 

[Adamm]

Hi all,

Ive been reading up on Skynet firewall and I have a question, whats the main difference between this firewall and the firewall thats already on the router? Is it just the same firewall but with more control e.g. blocking specific ip addresses? I am mostly interested in the malware defender side of it, does the standard firewall do that or will I need skynet to keep me protected?

I tried to install skynet last night on my ac68u, formatted a 2gb usb stick to ext4 and then followed the instructions but after about 2 hours I started to get errors in my system log. The kernel was reporting a io error? Dont know if you've seen this before?

Also my system log was flooded by blocking messages from the kernel, I realised that the dropped packets option under the firewall was active which was giving me these errors. Once I set it to report none under the firewall menu it would automatically set itself back to dropped packets and continue to fill the log. Is this normal?

I tried to disable debugging under the skynet menu but then I was not getting any information under the stats?

Sorry for all the n00by questions,

Thanks

The IO error is unrelated to Skynet and is todo with your USB directly.

Skynet’s goal is to enhance the built in firewall functionality. So if you want to block malware lists/IP’s/domains/countries, yes you will need to install Skynet

As for the stats, this requires debug mode to be enabled (which is what all those connection blocked logs are), otherwise Skynet has no information to generate your stats from.

 

[avi68]

Sky net lets you load iptable rules into the built-in firewall telling it what IP addresses or ranges to block or allow for both inbound outbound connections. It’s not a replacement for the firewall. IF you disable system logging then skynet can’t collect stats.

oh ok thanks for clarifying that

 

[avi68]

The IO error is unrelated to Skynet and is todo with your USB directly.

Skynet’s goal is to enhance the built in firewall functionality. So if you want to block malware lists/IP’s/domains/countries, yes you will need to install Skynet

As for the stats, this requires debug mode to be enabled (which is what all those connection blocked logs are), otherwise Skynet has no information to generate your stats from.

Brilliant, thanks for the information

So if I was only interested in the malware functionality (to protect my router from malware threats), would the standard firewall (without skynet) do?

Also I found a function named aiprotect, but I cant find any information on it. Could you explain what this does?

Thank you

 

[Adamm]

Brilliant, thanks for the information

So if I was only interested in the malware functionality (to protect my router from malware threats), would the standard firewall (without skynet) do?

Also I found a function named aiprotect, but I cant find any information on it. Could you explain what this does?

Thank you

You would need Skynet for this functionality.


AiProtect is another stock feature on the firmware, technically known as an “IPS” system.

An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits.

Skynet also enhances the functionality of this feature when installed.

 

[avi68]

You would need Skynet for this functionality.


AiProtect is another stock feature on the firmware, technically known as an “IPS” system.



Skynet also enhances the functionality of this feature when installed.

Perfect thank you for the explanation, its helped me get a better understanding of how it works.

I will have to try and install this again on the router, am I correct in saying once it has been installed it should be good to go e.g. no messing about unless I need to block ip addresses/domains?

Last question, if I flash another firmware update (when merlin uploads one) will this wipe skynet?

Thank you

 

[Adamm]

I will have to try and install this again on the router, am I correct in saying once it has been installed it should be good to go e.g. no messing about unless I need to block ip addresses/domains?

That is correct. Set and forget.

Last question, if I flash another firmware update (when merlin uploads one) will this wipe skynet?

Skynet will survive firmware updates.

 

[avi68]

Thanks for all your help Adam. I will give this another go tonight.