Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Perhaps a check or prompt in the installation process that the "Enable JFFS custom scripts and configs" setting is on first before rebooting the router, if that's even possible? Not knowing what I was doing & missing this minor setting caused me no end of grief trying to get all this to even initiate, let alone work

This check already exists, if the setting isn't enabled Skynet forces a user to reboot after installation rather then simply restarting the firewall service. Your issue was more then likely related to something else, but without a syslog extract its hard to say.

On side note: is there a way to reset the SWAP file?

The following will let you resize the file;

sh /jffs/scripts/firewall debug swap install

 

[Butterfly Bones]

This very odd. I've searched here on SNB and on Google for these syslog entries and found nothing relevant or related. Only a few links to DD-WRT about the Broadcom BCM63xx on the Wiki.

I do not think it is Skynet, however as my neighbor's granddaughter says, "It is so much a co-ink-a-dink"!

It happens after the 02:00 save and just before the 02:25 banmalware update, no other syslog entries. I have never seen this until the new "secure mode" feature was added and the subsequent update to v6.2.4 on May 31, 2018. Of course I enabled secure mode, that is why I post here, hoping I am not too far off in left field.

I've searched for entire string and only for bcm63xx, nand, ff801800, intfc, status f00000e0, and various combinations. Nada, zip, zilch, zero. Any clues welcome. AC86U with Merlin 384.5, Skynet, ABS, Pixelserv, Entware

Jun  1 02:00:02 Skynet: [Complete] 108617 IPs / 1698 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1011 Inbound / 33 Outbound Connections Blocked! [save] [2s]
Jun  1 02:25:09 kernel: bcm63xx_nand ff801800.nand: timeout waiting for command 0x1
Jun  1 02:25:09 kernel: bcm63xx_nand ff801800.nand: intfc status f00000e0
Jun  1 02:25:23 Skynet: [Complete] 106961 IPs / 1668 Ranges Banned. -1656 New IPs / -30 New Ranges Banned. 1043 Inbound / 33 Outbound Connections Blocked! [banmalware] [23s]


Jun  2 02:00:01 Skynet: [Complete] 106961 IPs / 1668 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2898 Inbound / 50 Outbound Connections Blocked! [save] [1s]
Jun  2 02:25:02 kernel: bcm63xx_nand ff801800.nand: timeout waiting for command 0x1
Jun  2 02:25:02 kernel: bcm63xx_nand ff801800.nand: intfc status f00000e0
Jun  2 02:25:18 Skynet: [Complete] 95573 IPs / 1471 Ranges Banned. -11388 New IPs / -197 New Ranges Banned. 2934 Inbound / 78 Outbound Connections Blocked! [banmalware] [18s]


Jun  3 02:00:02 Skynet: [Complete] 95573 IPs / 1471 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 4608 Inbound / 78 Outbound Connections Blocked! [save] [2s]
Jun  3 02:25:03 kernel: bcm63xx_nand ff801800.nand: timeout waiting for command 0x1
Jun  3 02:25:03 kernel: bcm63xx_nand ff801800.nand: intfc status f00000e0
Jun  3 02:25:04 kernel: bcm63xx_nand ff801800.nand: timeout waiting for command 0x1
Jun  3 02:25:04 kernel: bcm63xx_nand ff801800.nand: intfc status f00000e0
Jun  3 02:25:08 kernel: bcm63xx_nand ff801800.nand: timeout waiting for command 0x1
Jun  3 02:25:08 kernel: bcm63xx_nand ff801800.nand: intfc status f00000e0
Jun  3 02:25:19 Skynet: [Complete] 109576 IPs / 1706 Ranges Banned. 14003 New IPs / 235 New Ranges Banned. 4627 Inbound / 92 Outbound Connections Blocked! [banmalware] [19s]

 

[Adamm]

This very odd. I've searched here on SNB and on Google for these syslog entries and found nothing relevant or related. Only a few links to DD-WRT about the Broadcom BCM63xx on the Wiki.

I do not think it is Skynet, however as my neighbor's granddaughter says, "It is so much a co-ink-a-dink"!

It happens after the 02:00 save and just before the 02:25 banmalware update, no other syslog entries. I have never seen this until the new "secure mode" feature was added and the subsequent update to v6.2.4 on May 31, 2018. Of course I enabled secure mode, that is why I post here, hoping I am not too far off in left field.

I've searched for entire string and only for bcm63xx, nand, ff801800, intfc, status f00000e0, and various combinations. Nada, zip, zilch, zero. Any clues welcome. AC86U with Merlin 384.5, Skynet, ABS, Pixelserv, Entware

Jun  1 02:00:02 Skynet: [Complete] 108617 IPs / 1698 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1011 Inbound / 33 Outbound Connections Blocked! [save] [2s]
Jun  1 02:25:09 kernel: bcm63xx_nand ff801800.nand: timeout waiting for command 0x1
Jun  1 02:25:09 kernel: bcm63xx_nand ff801800.nand: intfc status f00000e0
Jun  1 02:25:23 Skynet: [Complete] 106961 IPs / 1668 Ranges Banned. -1656 New IPs / -30 New Ranges Banned. 1043 Inbound / 33 Outbound Connections Blocked! [banmalware] [23s]


Jun  2 02:00:01 Skynet: [Complete] 106961 IPs / 1668 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2898 Inbound / 50 Outbound Connections Blocked! [save] [1s]
Jun  2 02:25:02 kernel: bcm63xx_nand ff801800.nand: timeout waiting for command 0x1
Jun  2 02:25:02 kernel: bcm63xx_nand ff801800.nand: intfc status f00000e0
Jun  2 02:25:18 Skynet: [Complete] 95573 IPs / 1471 Ranges Banned. -11388 New IPs / -197 New Ranges Banned. 2934 Inbound / 78 Outbound Connections Blocked! [banmalware] [18s]


Jun  3 02:00:02 Skynet: [Complete] 95573 IPs / 1471 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 4608 Inbound / 78 Outbound Connections Blocked! [save] [2s]
Jun  3 02:25:03 kernel: bcm63xx_nand ff801800.nand: timeout waiting for command 0x1
Jun  3 02:25:03 kernel: bcm63xx_nand ff801800.nand: intfc status f00000e0
Jun  3 02:25:04 kernel: bcm63xx_nand ff801800.nand: timeout waiting for command 0x1
Jun  3 02:25:04 kernel: bcm63xx_nand ff801800.nand: intfc status f00000e0
Jun  3 02:25:08 kernel: bcm63xx_nand ff801800.nand: timeout waiting for command 0x1
Jun  3 02:25:08 kernel: bcm63xx_nand ff801800.nand: intfc status f00000e0
Jun  3 02:25:19 Skynet: [Complete] 109576 IPs / 1706 Ranges Banned. 14003 New IPs / 235 New Ranges Banned. 4627 Inbound / 92 Outbound Connections Blocked! [banmalware] [19s]

The timing is definitely a coincidence. As for syslog print its more of a firmware issue then Skynet, I'd reboot your router see if that changes anything, beyond that its out of my hands. FWIW I can't reproduce this either.

 

[Butterfly Bones]

The timing is definitely a coincidence. As for syslog print its more of a firmware issue then Skynet, I'd reboot your router see if that changes anything, beyond that its out of my hands. FWIW I can't reproduce this either.

I've already rebooted three times in trying to find this. Twice I shut the router down, unplugged power and left it 15 minutes one time and over four hours while I was gone yesterday, just to see. Thank you. I'll post in the 384.5 thread and see.

 

[Mutzli]

I'm not sure if secure mode is really working. I still have attacks recorded from the same IP address, several times a day in intervals of several hours, from 188.166.73.225 - See screenshot below:

 

[Adamm]

I'm not sure if secure mode is really working. I still have attacks recorded from the same IP address, several times a day in intervals of several hours, from 188.166.73.225 - See screenshot below:

View attachment 13358

Thats normal, AiProtect actually intercepts traffic before IPTables gets a chance so if a banned IP is attempting a known exploit by the IPS engine AiProtect will intercept it first, Skynet's role is to block all other traffic.

 

[blueshark]

Enable aiprotect need install entware, how to install it

 

[Adamm]

Enable aiprotect need install entware, how to install it

Use the following command;

/usr/sbin/entware-setup.sh

Be warned, the script will wipe a lot of the jffs custom scripts (I really hope they recode it soon, long overdue), so you will need to rerun the Skynet installer after installing entware.

 

[xtropodx]

This check already exists, if the setting isn't enabled Skynet forces a user to reboot after installation rather then simply restarting the firewall service. Your issue was more then likely related to something else, but without a syslog extract its hard to say.

What I was finding, is that without scripts enabled yes Skynet would prompt to reboot router, but on doing so the internet connection would no longer work & there was no errors or anything to troubleshoot from & seemed like running any commands Skynet would only partially load, even after a reboot.

 

[JaimeZX]

Thats normal, AiProtect actually intercepts traffic before IPTables gets a chance so if a banned IP is attempting a known exploit by the IPS engine AiProtect will intercept it first, Skynet's role is to block all other traffic.

So speaking of aiProtect vs. Skynet then, (as an example) I have here a CSV the FBI pushed out on 29 May with a bunch of malware C2 servers. Presumably TrendMicro and/or the folks who manage the blocklist Skynet uses are all over this? Any way to tell for sure?

 

[Adamm]

So speaking of aiProtect vs. Skynet then, (as an example) I have here a CSV the FBI pushed out on 29 May with a bunch of malware C2 servers. Presumably TrendMicro and/or the folks who manage the blocklist Skynet uses are all over this? Any way to tell for sure?

Generally speaking AiProtect is pretty limited in what it blocks, I've only seen it block a handful of (old) CVE's. Skynet uses reputation data to actively block new botnets/scanners. If you are reffering to the "hidden cobra" lists, Skynet directly sources the previous list released last year, the new list I'm sure overlaps with Skynets other reputation databases.

You could do a rough estimation with a simple for loop and grep search but Skynet does a pretty good job staying relevant with the current lists.

 

[RMerlin]

Generally speaking AiProtect is pretty limited in what it blocks, I've only seen it block a handful of (old) CVE's.

I've seen it block repeated attempts to connect to RDesktop a few months ago (which for a while I had running, on a non-standard port). First time I've seen it actually block something in a useful way, mind you.

I wonder however how effective that blocking is, since the same attack repeated itselfs multiple times on that same day.

 

[blueshark]

Howto know if some status is enable/disable

Ex: Toggle secure mode (on)

 

[Adamm]

Howto know if some status is enable/disable

Ex: Toggle secure mode (on)

You can manually check the config file I guess, or just use the enable command again to make sure (using it multiple times won’t hurt anything)

 

[TheUntouchable]

Howto know if some status is enable/disable

Ex: Toggle secure mode (on)

Something I also mentioned some posts before. Would be very helpfull!

 

[Adamm]

Howto know if some status is enable/disable

Ex: Toggle secure mode (on)

Something I also mentioned some posts before. Would be very helpfull!

I pushed v6.2.5 with this change.

Setting values can now be seen in the "debug info" output.

sh /jffs/scripts/firewall debug info

 

[aavvaallooss]

Yesterday with version 6.2.4 after enabling Entware and reinstalling SkyNet from scratch no problem (pretty sure) updating Banmalware
Today after updating to version 6.2.5 (See picture): can't create temp file '/tmp/mnt/SKYNET/skynet/skynet.ipsetbRbLF6': Read-only file system

 

[blueshark]

I try it and updated without problem. Probably something wrong with usb drive

 

[aavvaallooss]

I try it and updated without problem. Probably something wrong with usb drive

You, sir, are right!

 

[Adamm]

I pushed v6.2.6

There was a bug where banmalware was accidentally disabling the BanAiProtect feature. After updating you will need to manually enable the feature again.