What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Might be a github thing, try a force update and it should download the most recent version.

didnt work for me either wont upgrade to 6.2.2
 
yep rerun the update and now it says 6.2.2 thanks
 
@Adamm

I understand the 'Toggle Ban AiProtect' option but not sure what the two options below do and there purpose?

Code:
[8]  --> Toggle PrivateIP Filtering
[9]  --> Toggle Invalid Packet Logging

Could you explain? i've enabled them at the moment but would like to understand what there purpose is and what they do.

The Ban AiProtect is a great feature i think, every now and then i used to go to 'AiProtection Two-Way IPS' tab and manually add the IPs to skynet, it's great as saves me doing it manually and saves some time. :)

Thank you.
 
@Adamm
Code:
[8]  --> Toggle PrivateIP Filtering
[9]  --> Toggle Invalid Packet Logging

It would be also very cool to see if this toggles are activated or deactivated at the moment :)
 
@Adamm

I understand the 'Toggle Ban AiProtect' option but not sure what the two options below do and there purpose?

Code:
[8]  --> Toggle PrivateIP Filtering
[9]  --> Toggle Invalid Packet Logging

Could you explain? i've enabled them at the moment but would like to understand what there purpose is and what they do.

The Ban AiProtect is a great feature i think, every now and then i used to go to 'AiProtection Two-Way IPS' tab and manually add the IPs to skynet, it's great as saves me doing it manually and saves some time. :)

Thank you.

Code:
( sh /jffs/scripts/firewall debug unbanprivate enable|disable ) Enable/Disable Unban_PrivateIP Function
( sh /jffs/scripts/firewall debug loginvalid enable|disable ) Enable/Disable Invalid Packet Logging
 
I've pushed v6.2.3

This adds a feature I call "secure mode". This feature will prevent both SSH and the WebUI being exposed to WAN. This feature was directly inspired by the recent wave of routers being compromised. Hopefully this prevents (or at least slows down) routers being taken over by immediately disabling these settings if they are toggled.

If anyone else has other IOC's (indicators of compromise) that are relevant to this exploit, let me know and I can add further checks. I know it also changes the language to Chinese, enables PPTP VPN server and DDNS but I need more information to detect this accurately (maybe they use a common PPTP/DDNS username).

To enable this feature;

Code:
sh /jffs/scripts/firewall debug securemode enable
 
I've pushed v6.2.4

This will check PPTP for suspicious settings as there is a common string used on compromised routers. Still looking into common DDNS IOC's.
 
Adamm, is there a flag that can be checked when any of these new security features is enabled or disabled?
 
Adamm, is there a flag that can be checked when any of these new security features is enabled or disabled?

You will get a notification in the syslog of either the 3 following things;

Code:
[WARNING] Insecure Setting Detected - Disabling WAN SSH Access


[WARNING] Insecure Setting Detected - Disabling WAN GUI Access


[WARNING] PPTP VPN Server Shows Signs Of Compromise - Investigate Immediately!
 
One more question, once enabled, do they stay enabled after a router reboot?
 
One more question, once enabled, do they stay enabled after a router reboot?

Secure mode is a persistent setting in Skynet. Once enabled it will check the router upon startup and once per hour for these potentially malicious indicators.
 
Why does skynet not block as many domains as ab-solution?
For example, ab-solution says it's blocking 641567 domains but skynet says it's only blocking 108326?
 
Why does skynet not block as many domains as ab-solution?
For example, ab-solution says it's blocking 641567 domains but skynet says it's only blocking 108326?
T
Why does skynet not block as many domains as ab-solution?
For example, ab-solution says it's blocking 641567 domains but skynet says it's only blocking 108326?
Two different purposes: adware (AB-Solution) vs malware (Skynet)...
 
Why does skynet not block as many domains as ab-solution?
For example, ab-solution says it's blocking 641567 domains but skynet says it's only blocking 108326?
T

Two different purposes: adware (AB-Solution) vs malware (Skynet)...

Apples and oranges. AB-Solution is a DNS blocking solution, Skynet is IP based. With shared hosting for instance, one IP can be potentially linked to thousands of domains. Not only this but some of the IP CIDR ranges alone cover thousands of IPs in an optimised format.
 
This feature will prevent both SSH and the WebUI being exposed to WAN.
Is it possible to allow specific exceptions?

I would like to allow SSH on WAN via keys only, but prevent password based access (SSH, WebUI).
 
Last edited:
Secure mode is a persistent setting in Skynet. Once enabled it will check the router upon startup and once per hour for these potentially malicious indicators.

We don't have to re-enable after upgrading either, correct?
(just making sure)
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top