Skynet Skynet issue

[unclebuk]

Can someone have a look at the attached screenshot and indicate whats's going on and suggest any methods to resolve this please.
Is it possible that the outdated merlin f/w (FW Version; 384.19_0 (Aug 14 2020) could be causing this?

Also, Option 10, [10] --> Update Skynet: fails.

Thanks in advance,
Unk

[*] Lock File Detected (start skynetloc=/tmp/mnt/Asus-entware/skynet) (pid=19191)
[*] Locked Processes Generally Take 1-2 Minutes To Complete And May Result In Temporarily "Failed" Tests

 

[Viktor Jaep]

Can someone have a look at the attached screenshot and indicate whats's going on and suggest any methods to resolve this please.
Is it possible that the outdated merlin f/w (FW Version; 384.19_0 (Aug 14 2020) could be causing this?

Also, Option 10, [10] --> Update Skynet: fails.

Thanks in advance,
Unk

[*] Lock File Detected (start skynetloc=/tmp/mnt/Asus-entware/skynet) (pid=19191)
[*] Locked Processes Generally Take 1-2 Minutes To Complete And May Result In Temporarily "Failed" Tests

It certainly doesn't hurt getting up to date on the latest and greatest. My skynet will give me the same messages at times after a reboot, or after forcing a major reset of some kind, but they will eventually resolve themselves after a minute or two. Are yours not resolving?

When picking option 10, it asks to check for new updates, and upon hitting option 1, it says I'm still up-to-date. Where does it fail for you? You can also try running this command:

/jffs/scripts/firewall update

 

[unclebuk]

/jffs/scripts/firewall update

Yeah, running the script u provided seemed to do the trick. Thank you very much for your assistance.

 

[harry]

Hi Guys. I am trying to make a head and tail out of these stats. as soon as I restart Skynet its changing the syslog location to custom.
also its showing some locked file detected. i can change location back to default again but why its changing it after restart !!
can anyone please shed a light on this.
only modules I am playing around with right now are AMTM, Diversion and Skynet.
my main module which I love is built in cake but however I wanted to expand my exploration into other modules too.

 

[SomeWhereOverTheRainBow]

Hi Guys. I am trying to make a head and tail out of these stats. as soon as I restart Skynet its changing the syslog location to custom.
also its showing some locked file detected. i can change location back to default again but why its changing it after restart !!
can anyone please shed a light on this.
only modules I am playing around with right now are AMTM, Diversion and Skynet.
my main module which I love is built in cake but however I wanted to expand my exploration into other modules too.

Do you have Scribe installed? If so, that might be why the location keeps changing to custom. I cannot think of any other reason why this would be changing.

 

[harry]

Thanks For reply. only modules I am using are attached. I never installed scribe.

 

[harry]

I did modem reset and USB format on PC and than in router and than with USB module using FD command.
reinstalled Skynet. but same issue. after restarting Skynet syslog location changes to custom.
only module I am running now are AMTM- Skynet and Format Disk.

 

[SomeWhereOverTheRainBow]

I did modem reset and USB format on PC and than in router and than with USB module using FD command.
reinstalled Skynet. but same issue. after restarting Skynet syslog location changes to custom.
only module I am running now are AMTM- Skynet and Format Disk.

Yea, I am not sure myself why this is the case. I looked at the script code. It might be intended behavior because this option behaves differently between old AC router models versus the newer AX models. Maybe @Adamm or @dave14305 can look into this if they get the time.

 

[Adamm]

Yea, I am not sure myself why this is the case. I looked at the script code. It might be intended behavior because this option behaves differently between old AC router models versus the newer AX models. Maybe @Adamm or @dave14305 can look into this if they get the time.

    if ps | grep -F "/sbin/syslogd" | grep -qF "/jffs/syslog.log" && [ "$syslogloc" = "/tmp/syslog.log" ]; then
        syslogloc="/jffs/syslog.log" # Fix syslog location on newer random models
        syslog1loc="/jffs/syslog.log-1"
    fi

This was intended at the time to get around what appeared to be random models now having a new default syslog location in /jffs/syslog.log... Is the issue that is says custom in Skynet?

 

[SomeWhereOverTheRainBow]

Is the issue that is says custom in Skynet?

That appears to be what @harry is concerned with.

 

[harry]

I have reset the router (gt ax6000) attached new USB. only using AMTM- Skynet and Disk check modules. issue is still there. however it's only when I restart Skynet.

 

[dave14305]

I have reset the router (gt ax6000) attached new USB. only using AMTM- Skynet and Disk check modules. issue is still there. however it's only when I restart Skynet.

You can stop fretting over it. It’s not a problem. Skynet considers any log location other than /tmp/syslog.log to be custom. Newer routers use /jffs/syslog.log. Hence “custom”.

 

[fanasus]

hello,
noob in the matter, I installed "Skynet", can you tell me if it is normal to see in the section "Top 10 Blocked Devices (Outbound)", the own LAN IP of my computer!?
thank you

 

[dave14305]

can you tell me if it is normal to see in the section "Top 10 Blocked Devices (Outbound)", the own IP of my computer!?

If you mean your router WAN IP, it would be expected for users of Unbound. Is port 53 a top port blocked?

 

[fanasus]

If you mean your router WAN IP, it would be expected for users of Unbound. Is port 53 a top port blocked?

hello, sorry I don’t speak English at the base, I’m not sure what you want to explain. NB: the IP that appears is that of my computer! and not the IP of my router (and I don’t know if this is normal)

 

[dave14305]

hello, sorry I don’t speak English at the base, I’m not sure what you want to explain. NB: the IP that appears is that of my computer! and not the IP of my router (and I don’t know if this is normal)

It would not be “normal” for many outbound blocks from a local computer, but you would need to analyze the destination IPs of the blocked connections to see if it’s expected or malicious IP.

Sometimes the public block lists get too aggressive and include “good” IPs in their list.

 

[fanasus]

It would not be “normal” for many outbound blocks from a local computer, but you would need to analyze the destination IPs of the blocked connections to see if it’s expected or malicious IP.

Sometimes the public block lists get too aggressive and include “good” IPs in their list.

ok, but..!? how can I see it please!? I looked at the "firewall" section of the router, but I don’t see any reference regarding my IP computer currently in use, thanks

NB: I enabled "Enable IPv4 incoming firewall rules" (Who was deactivated, did it right?)

 

[dave14305]

NB: I enabled "Enable IPv4 incoming firewall rules" (Who was deactivated, did it right?)

You can disable it. You don’t usually want to allow incoming traffic from the internet.

ok, but..!? how can I see it please!? I looked at the "firewall" section of the router, but I don’t see any reference regarding my IP computer currently in use, thanks

Login to an SSH session and run:

firewall stats search device 192.168.1.123

but replace the IP with the IP of your computer.

See many other possible commands at:

IPSet_ASUS/README.md at master · Adamm00/IPSet_ASUS

Skynet - Advanced IP Blocking For ASUS Routers Using IPSet. - Adamm00/IPSet_ASUS

github.com

 

[fanasus]

You can disable it. You don’t usually want to allow incoming traffic from the internet.

ok I restarted it

Login to an SSH session and run:

firewall stats search device 192.168.1.123

but replace the IP with the IP of your computer.

is the result:
Logging Data Detected in /tmp/mnt/ASUS-SSD/skynet/skynet.log - 7.1M
Monitoring From Jun 29 19:31:09 To Jul 4 15:16:05
30475 Block Events Detected
5376 Unique IPs
0 Manual Bans Issued

192.168.1.201 First Tracked On Jul 3 10:36:05
192.168.1.201 Last Tracked On Jul 3 10:37:25
30 Blocks Total

Device Name;
ericminimac

First Block Tracked From 192.168.1.201;
Jul 3 10:36:05 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:xxxxxxxxxxxx

10 Most Recent Blocks From 192.168.1.201;
Jul 3 10:37:12 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:xxxxxxxxxxxxx
Jul 3 10:37:12 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:xxxxxxxxxxxx
Jul 3 10:37:22 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:xxxxxxxxxxxx
Jul 3 10:37:22 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:xxxxxxxxxxxx
Jul 3 10:37:23 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:xxxxxxxxxxxx
Jul 3 10:37:23 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:xxxxxxxxxxxx
Jul 3 10:37:24 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:xxxxxxxxxxxx
Jul 3 10:37:24 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:xxxxxxxxxxxx
Jul 3 10:37:25 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:xxxxxxxxxxxx
Jul 3 10:37:25 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=c8:7f:xxxxxxxxxxxx

Top 10 HTTP(s) Blocks (Outbound);

-------- | -------------- | --------------
| Hits | | | IP Address | | | AlienVault |
-------- | -------------- | --------------

30x | 213.186.33.19 (FR) | https://otx.alienvault.com/indicator/ip/213.

Top 10 Blocks From (Outbound);

-------- | -------------- | --------------
| Hits | | | IP Address | | | AlienVault |
-------- | -------------- | --------------
-*-
================================================================================


[#] 34966 IPs (+0) -- 2387 Ranges Banned (+0) || 1 Inbound -- 0 Outbound Connect

See many other possible commands at:

IPSet_ASUS/README.md at master · Adamm00/IPSet_ASUS

Skynet - Advanced IP Blocking For ASUS Routers Using IPSet. - Adamm00/IPSet_ASUS

github.com

NB: I don’t know what that "mac address" is, which I masked

 

[dave14305]

Top 10 HTTP(s) Blocks (Outbound);

-------- | -------------- | --------------
| Hits | | | IP Address | | | AlienVault |
-------- | -------------- | --------------

30x | 213.186.33.19 (FR) | https://otx.alienvault.com/indicator/ip/213.

Run this command to see why the destination is blocked:

firewall stats search malware 213.186.33.19

You can also go to the URL mentioned to see more info:

AlienVault - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

otx.alienvault.com