Skynet Skynet - Router Firewall & Security Enhancements

[avi68]

Hi Adam, I installed everything and it was working fine for about 45 minutes and then the whole network went down. It looks like my ac68u rebooted, but as the system log got wiped I dont know why it rebooted.

Also when I first installed skynet and rebooted the router the usb wouldnt mount, I used diskgenius to format it to ext 4. After it kept failing to mount I re-formatted it to ext 3 and everything rebooted after 45 minutes up time.

Do you have any idea what it could be?

Thanks

 

[Adamm]

Hi Adam, I installed everything and it was working fine for about 45 minutes and then the whole network went down. It looks like my ac68u rebooted, but as the system log got wiped I dont know why it rebooted.

Also when I first installed skynet and rebooted the router the usb wouldnt mount, I used diskgenius to format it to ext 4. After it kept failing to mount I re-formatted it to ext 3 and everything rebooted after 45 minutes up time.

Do you have any idea what it could be?

Thanks

Most definitely sounds like a USB issue. I personally use MiniTool Partion Wizard to handle mine. So far so good

 

[cmkelley]

Hi Adam, I installed everything and it was working fine for about 45 minutes and then the whole network went down. It looks like my ac68u rebooted, but as the system log got wiped I dont know why it rebooted.

Also when I first installed skynet and rebooted the router the usb wouldnt mount, I used diskgenius to format it to ext 4. After it kept failing to mount I re-formatted it to ext 3 and everything rebooted after 45 minutes up time.

Do you have any idea what it could be?

Thanks

Bad thumbdrive?

 

[avi68]

Most definitely sounds like a USB issue. I personally use MiniTool Partion Wizard to handle mine. So far so good

Is it because I used a crappy USB? It was a free one from sky
Or do you think it's the software I used to format it?
What brand USB should I really be using and what format is preferred ?

 

[avi68]

Bad thumbdrive?

It does sound like that. Might have to buy another one

 

[cmkelley]

Is it because I used a crappy USB? It was a free one from sky
Or do you think it's the software I used to format it?
What brand USB should I really be using and what format is preferred ?

Both are topics of great debate. I've had good luck with Sandisk, others not so much. I really think you pretty much get what you pay for; if you buy a cheap USB, it's not going to last as long, or tolerate the heat from working 24/7 as a more expensive one.

What format ... IMHO, ext2 if you're not going to use journaling, or ext4 (with journaling) if you want journaling. That said, any of ext2, ext3, and ext4 with or without journaling is what you should use. Don't use fat32, or exfat, or anything else but the native (ext*) filesystems. There's plenty of discussion on other threads about the merits of journaling or not. I actually use an SSD connected through the USB port, so journaling is a no-brainer for me.

 

[Zonkd]

Hi Adam, I installed everything and it was working fine for about 45 minutes and then the whole network went down. It looks like my ac68u rebooted, but as the system log got wiped I dont know why it rebooted.

Also when I first installed skynet and rebooted the router the usb wouldnt mount, I used diskgenius to format it to ext 4. After it kept failing to mount I re-formatted it to ext 3 and everything rebooted after 45 minutes up time.

Do you have any idea what it could be?

Thanks

I’m unsure about random reboot and why system log was wiped. I’ve never had that happen to me.

If you think there may be problem with USB disk not being detected then consider reformatting it using the router. A guide is available here.

https://www.snbforums.com/threads/e...ptions-on-the-router.48302/page-2#post-455723

If that doesn’t work then maybe factory reset router and redo settings by hand? If resetting firmware and settings doesn’t work and you keep getting random reboots then maybe it’s a hardware problem...

 

[avi68]

Both are topics of great debate. I've had good luck with Sandisk, others not so much. I really think you pretty much get what you pay for; if you buy a cheap USB, it's not going to last as long, or tolerate the heat from working 24/7 as a more expensive one.

What format ... IMHO, ext2 if you're not going to use journaling, or ext4 (with journaling) if you want journaling. That said, any of ext2, ext3, and ext4 with or without journaling is what you should use. Don't use fat32, or exfat, or anything else but the native (ext*) filesystems. There's plenty of discussion on other threads about the merits of journaling or not. I actually use an SSD connected through the USB port, so journaling is a no-brainer for me.

I just ordered a Sandisk one. Thanks for the advice pal

 

[avi68]

I’m unsure about random reboot and why system log was wiped. I’ve never had that happen to me.

If you think there may be problem with USB disk not being detected then consider reformatting it using the router. A guide is available here.

https://www.snbforums.com/threads/e...ptions-on-the-router.48302/page-2#post-455723

If that doesn’t work then maybe factory reset router and redo settings by hand? If resetting firmware and settings doesn’t work and you keep getting random reboots then maybe it’s a hardware problem...

Thanks for the link, Ill use the router to format the new one Ive ordered.

I have never ever had a random reboot on this router, as soon as skynet was installed on the usb (after 45 mins) it just rebooted itself. As others dont have any issues I think its definitely down to the usb stick.

Every time I reboot my router my system log always gets deleted, I thought this was normal?

 

[ItsJarrett]

Thank you for such a wonderful bash solution to the problems of the future!

Also, thank for accepting my PR <3

 

[TonyK132]

I installed the latest 86U alpha, rebooted, and now Skynet says this:


-------------------- | ----------
| Test Description | | | Result |
-------------------- | ----------

Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
SWAP | [Passed]
Cron Jobs | [Passed]
IPSet Comment Support | [Passed]
Log Level 5 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
Inbound Filter Rules | [Failed]
Inbound Debug Rules | [Failed]
Outbound Filter Rules | [Failed]
Outbound Debug Rules | [Failed]
Whitelist IPSet | [Passed]
BlockedRanges IPSet | [Passed]
Blacklist IPSet | [Passed]
Skynet IPSet | [Passed]


----------- | ----------
| Setting | | | Status |
---------- | ----------

Autoupdate | [Disabled]
Auto-Banmalware Update | [Disabled]
Debug Mode | [Disabled]
Filter Traffic | [Selective]
Unban PrivateIP | [Disabled]
Log Invalid | [Disabled]
Ban AiProtect | [Disabled]
Secure Mode | [Disabled]
Fast Switch | [Disabled]

13/17 Tests Sucessful

Only 13/17 successful (spelling?). And Inbound and Outbound Filter Rules Failed. What do I need to do to fix this?

Also, I tried to enable Autoupdate and Auto-Banmalware, but neither setting will take. ??

To be clear, I have 384.9_alpha2-g2c530c69b.

Also, I did try to reinstall Skynet, both without then with -F option, but same result. I also tried to reinstall Banmalware, but same result. In Merlin, I have AIProtect enabled in case that matters.

 

[Adamm]

I installed the latest 86U alpha, rebooted, and now Skynet says this:


-------------------- | ----------
| Test Description | | | Result |
-------------------- | ----------

Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
SWAP | [Passed]
Cron Jobs | [Passed]
IPSet Comment Support | [Passed]
Log Level 5 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
Inbound Filter Rules | [Failed]
Inbound Debug Rules | [Failed]
Outbound Filter Rules | [Failed]
Outbound Debug Rules | [Failed]
Whitelist IPSet | [Passed]
BlockedRanges IPSet | [Passed]
Blacklist IPSet | [Passed]
Skynet IPSet | [Passed]


----------- | ----------
| Setting | | | Status |
---------- | ----------

Autoupdate | [Disabled]
Auto-Banmalware Update | [Disabled]
Debug Mode | [Disabled]
Filter Traffic | [Selective]
Unban PrivateIP | [Disabled]
Log Invalid | [Disabled]
Ban AiProtect | [Disabled]
Secure Mode | [Disabled]
Fast Switch | [Disabled]

13/17 Tests Sucessful

Only 13/17 successful (spelling?). And Inbound and Outbound Filter Rules Failed. What do I need to do to fix this?

Also, I tried to enable Autoupdate and Auto-Banmalware, but neither setting will take. ??

Looks like you are flushing IPTables at some point (or you checked the debug output too fast during startup when the process was still locked?). You passed all the important tests so it seems like something outside of Skynet is causing the issue. Try reboot / restart Skynet and see if the results change.

 

[TonyK132]

Looks like you are flushing IPTables at some point (or you checked the debug output too fast during startup when the process was still locked?). You passed all the important tests so it seems like something outside of Skynet is causing the issue. Try reboot / restart Skynet and see if the results change.

I just rebooted, let it settle for about 5 min, then did:

sh /jffs/scripts/firewall debug info

Same result.

But also I noticed this in Putty.

Arithmetic syntax error.

 

[Adamm]

I just rebooted, let it settle for about 5 min, then did:

sh /jffs/scripts/firewall debug info

Same result.

But also I noticed this in Putty.

View attachment 15962

Arithmetic syntax error.

I personally think the issue lies outside of Skynet with the information available. I suggest uninstalling / reinstalling to see if Skynet works on a clean slate as there may be something funky going on in your "JFFS custom scripts and configs".

 

[TonyK132]

I finally got it to uninstall, then reinstalled, then reloaded the malware and country lists. Now all appears to be OK. I have 17/17 tests successful. Thanks.

 

[preacher65]

No log entries no accumulated stats.

I'm not quite sure how this works with the "Cleanup Syslog Entries" option. Does running that affect stats?
Or is logging to syslog required to gather stats, but once they are collected then cleaning the entries from syslog has no effect?
I am assuming the latter is true - stats seem to be based on skynet.log - but would be grateful for confirmation. I'm wondering if I can set up a cron job to cleanup syslog entries without negatively impacting Skynet.

 

[Adamm]

I'm not quite sure how this works with the "Cleanup Syslog Entries" option. Does running that affect stats?
Or is logging to syslog required to gather stats, but once they are collected then cleaning the entries from syslog has no effect?
I am assuming the latter is true - stats seem to be based on skynet.log - but would be grateful for confirmation. I'm wondering if I can set up a cron job to cleanup syslog entries without negatively impacting Skynet.

The short version is IPTables logs the blocked entries to syslog, then Skynet transfers them every time a command is run or the hourly save cronjob to skynet.log . No logs = no stats.

The cleanup option does this + removes any other misc output Skynet has in the syslog.

 

[preacher65]

The short version is IPTables logs the blocked entries to syslog, then Skynet transfers them every time a command is run or the hourly save cronjob to skynet.log . No logs = no stats.

The cleanup option does this + removes any other misc output Skynet has in the syslog.

Thank you for quick reply and the explanation - so effectively it's already doing what I was thinking at least every hour anyway. I probably should have expected that. And spotted it when perusing logs.

 

[Spydawg]

Updated yesterday. getting this in logs over and over again..

an 19 17:09:10 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/DATA1/skynet )
Jan 19 17:19:06 rc_service: udhcpc 20830:notify_rc start_firewall
Jan 19 17:19:06 dhcp_client: bound 76.71.182.30 via 10.11.18.65 during 600 seconds.
Jan 19 17:19:07 miniupnpd[19801]: shutting down MiniUPnPd
Jan 19 17:19:07 nat: apply nat rules (/tmp/nat_rules_ppp0_eth0)
Jan 19 17:19:07 custom_script: Running /jffs/scripts/firewall-start (args: ppp0)
Jan 19 17:19:07 miniupnpd[20850]: HTTP listening on port 37849
Jan 19 17:19:07 miniupnpd[20850]: Listening for NAT-PMP/PCP traffic on port 5351
Jan 19 17:19:08 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/DATA1/skynet )
Jan 19 17:19:33 Skynet: [#] 143412 IPs (+0) -- 1352 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [25s]
Jan 19 17:19:58 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=185.176.27.34 DST=70.55.54.122 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=58074 PROTO=TCP SPT=50038 DPT=4381 SEQ=851953085 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Jan 19 17:20:02 Diversion: updated ads counter: 218,503 total, 3,316 this week, 3,100 new since last count, from /opt/bin/diversion
Jan 19 17:20:18 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=172.107.96.221 DST=70.55.54.122 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=11739 PROTO=TCP SPT=49565 DPT=1433 SEQ=3777568312 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0

Keeps
Jan 19 17:19:08 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/DATA1/skynet )
over and over again..

 

[cmkelley]

I'm currently going down the syslog-ng rabbit hole. Doing some grepping around skynet's firewall script I came up with the following to stop Skynet from trying to "fix" /tmp/syslog.log and /tmp/syslog.log-1 (and thereby breaking the symlink to /opt/var/log/messages):

#!/bin/sh

sed -i 's#"$skynetevents" "/tmp/syslog.log-1" "/tmp/syslog.log"#"$skynetevents"#' /jffs/scripts/firewall
sed -i 's#"/tmp/syslog.log" "$skynetevents"#"$skynetevents"#' /jffs/scripts/firewall
sed -i "\#~d' /tmp/syslog.log-1 /tmp/syslog.log#d" /jffs/scripts/firewall
sed -i '\#~d" /tmp/syslog.log#d' /jffs/scripts/firewall

I'm sure there's more elegant ways to do that, but I started chasing my tail on regexs and convinced myself that the above is at least halfway readable, a regex might be unintelligible.

Since TrendMicro's dcd service is currently spamming the syslog horrifically, a few more entries in the syslog are hardly going to be noticed. Perhaps once that's fixed I'll change my mind and fix it by installing Entware's sed and adding "--follow-symlinks" after every "sed -i". Probably not though, I'll probably work on syslog-ng's filtering to split stuff up into useful logs. Depends on how much is actually getting added to the syslog I suppose.

I just have to remember to edit the firewall script on any upgrade of skynet and the S01syslog-ng script on any upgrade of syslog-ng. If anyone cares, my solution to the S01syslog-ng script to still allow check or restart to work without throwing errors is:

#!/bin/sh

logger -t "SCRIPT_$(basename $0)" "started [$@]"

if [ ! "X$(pidof syslogd)" = "X" ]
then
        # kill running syslogd & copy syslog.log to messages
        # maybe to a separate file for kernel messages?
        kill -9 $(pidof syslogd)
        if [ ! -L "/tmp/syslog.log" ]
        then
                cat /tmp/syslog.log >> /opt/var/log/messages
                rm /tmp/syslog.log /tmp/syslog.log-1
                # whatever is symlinked to /tmp/syslog.log is what webGUI System Log shows
                ln -s /opt/var/log/messages /tmp/syslog.log
        fi
fi

ENABLED=yes
PROCS=syslog-ng
ARGS=""
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

Okay, NOW it's time to learn git / github so I can put this stuff somewhere findable in the unlikely case that anyone else finds it useful. Probably need an install script for fixing S01syslog-ng and verifying /jffs/syslog and /jffs/syslog.log-1 are directories and not files to keep syslogd from writing to them before it gets killed in the bootup.