Skynet Skynet - Router Firewall & Security Enhancements

[DonnyJohnny]

Is there a recommendation on which country codes to block? I noticed a lot of random noise coming from RU ASN's so that's the only one i am outright blocking right now.

Also, what is skynet using for geoip lookup?

thanks!

ad af ai al ag ao am ar as aw ax az bf ba bb bg bi bd bj bo br bw by bz cd cf cg ci cl co cu cv cy cz dj do dm dz ec ee eg er et fj fo hr ga ge gh gi gm gn gq gt gu gw gy ht hu il in io iq ir jm ke kg kh ki km kz kp kw la lb li lk ls lt lv ly ma md me mk ml mn mq mr ms mt mz na nc ne ng ni np nr om pa pe pg pk pr ps pw py qa re rs rw sa sc sd sm sn so sr sv sy tc td tk tg tj tl tm tn tr tt tv ug vc ve vu wf ye yt za zw zm

For me only... lol.. check for your country. For your reference. I don’t use them now..
basic firewall and Skynet is already good enough to block common noises.

Most importantly is don’t open unnecessary services to the WAN facing side.

 

[agilani]

ad af ai al ag ao am ar as aw ax az bf ba bb bg bi bd bj bo br bw by bz cd cf cg ci cl co cu cv cy cz dj do dm dz ec ee eg er et fj fo hr ga ge gh gi gm gn gq gt gu gw gy ht hu il in io iq ir jm ke kg kh ki km kz kp kw la lb li lk ls lt lv ly ma md me mk ml mn mq mr ms mt mz na nc ne ng ni np nr om pa pe pg pk pr ps pw py qa re rs rw sa sc sd sm sn so sr sv sy tc td tk tg tj tl tm tn tr tt tv ug vc ve vu wf ye yt za zw zm

For me only... lol.. check for your country. For your reference. I don’t use them now..
basic firewall and Skynet is already good enough to block common noises.

Most importantly is don’t open unnecessary services to the WAN facing side.

Lol,
I haven't been willing to disable upnp so its like playing whack a mole.

@Adamm
one feature that may be worth considering is asn and country code lookups for both blocked and allowed traffic and generate a top 10 report. I've been doing with elastic search, but i hate collecting logs just to accomplish this.

 

[Adamm]

Lol,
I haven't been willing to disable upnp so its like playing whack a mole.

@Adamm
one feature that may be worth considering is asn and country code lookups for both blocked and allowed traffic and generate a top 10 report. I've been doing with elastic search, but i hate collecting logs just to accomplish this.

One of the bigger obstacles is CIDR ranges are hard to "break down" in pure shell without a stupidly large amount of code, its much easier in other languages. I'm sure theres probably some ingenious way to accomplish it with minimal overhead but from all the previous research I've done its definetely a complex solution to a seemingly easy problem.

Its definetely something on my radar, but the cost benefit ratio is pretty one sided atleast in every way I've thought of implmenting it in the past.

 

[jamesnmandy]

Are the log messages that are labeled kernel saying it is blocking an inbound or outbound connection part of Skynet activity? If not do you know where to get more info on how to understand the logs? It looks like something on the LAN is sending out a UDP packet once in a while(but is blocked) and then I get a different IP trying to respond every 45 seconds or so(which are also blocked) but I can't tell what device is sending, the MAC address is crazy long and doesn't match anything on my network I am aware of.

 

[joe scian]

ad af ai al ag ao am ar as aw ax az bf ba bb bg bi bd bj bo br bw by bz cd cf cg ci cl co cu cv cy cz dj do dm dz ec ee eg er et fj fo hr ga ge gh gi gm gn gq gt gu gw gy ht hu il in io iq ir jm ke kg kh ki km kz kp kw la lb li lk ls lt lv ly ma md me mk ml mn mq mr ms mt mz na nc ne ng ni np nr om pa pe pg pk pr ps pw py qa re rs rw sa sc sd sm sn so sr sv sy tc td tk tg tj tl tm tn tr tt tv ug vc ve vu wf ye yt za zw zm

For me only... lol.. check for your country. For your reference. I don’t use them now..
basic firewall and Skynet is already good enough to block common noises.

Most importantly is don’t open unnecessary services to the WAN facing side.

You forgot China and Russia - cn ru

 

[DonnyJohnny]

You forgot China and Russia - cn ru

i surf china website so cant do that and i think that a lot of sites hosted using russia servers/cdn so didnt do that.
if given the choice, china is definitely need to be blocked.

 

[Adamm]

Are the log messages that are labeled kernel saying it is blocking an inbound or outbound connection part of Skynet activity?

Yes this is what Skynet reffers to as "debug mode", essentially it just logs every connection as its blocked using a standard IPTables format.

If not do you know where to get more info on how to understand the logs?

A quick google search will give you a good explaination of what every piece of information means in the log

the MAC address is crazy long and doesn't match anything on my network I am aware of.

That is actually 3 pieces of information, the first 12 characters are the destination MAC, the second 12 characters are the source MAC, and the last 4 characters are the EtherType code. You can read about it here

 

[agilani]

You forgot China and Russia - cn ru

based on abuseipdb I ended up blocking RU CN VN
https://www.abuseipdb.com/statistics

I think its safe to say i don't access any servers in any of these countries currently.

 

[jamesnmandy]

So is there any kind of threat assessment or analytical software packages that can build reports based on log data pulled from Skynet? It would be quite useful to see a day, week or month at-a-glance to see trends, highlight abnormal activity, or allow one to dig deeper into a specific event or set alerts for trigger events. Skynet is already doing the work, just looking for the analytical side.

 

[Adamm]

So is there any kind of threat assessment or analytical software packages that can build reports based on log data pulled from Skynet? It would be quite useful to see a day, week or month at-a-glance to see trends, highlight abnormal activity, or allow one to dig deeper into a specific event or set alerts for trigger events. Skynet is already doing the work, just looking for the analytical side.

Skynet does this to a degree with the stats function, but I'm unsure off the top of my head of other software which can phrase the logs as is.

 

[Adamm]

I've also pushed v6.3.2

Skynet will cache any suspicous files it detects and compress them for further inspection (thanks to @itsJarrett for the pull request). There are also some minor improvements to stuck process handling.

 

[jamesnmandy]

Skynet does this to a degree with the stats function, but I'm unsure off the top of my head of other software which can phrase the logs as is.

I will research that thank you

 

[jamesnmandy]

Anyone care to take a stab at why I am getting hammered by speedguide.net and bigger yet why Alienvault is hammering me?

The REALLY strange thing is I did read a couple pages about Alien Vault today while at work on my phone. Nowhere near my network. I haven't searched it since getting home and even if a page loaded in the background I can't see it generating this much traffic......


/jffs/scripts/firewall stats 10

Debug Data Detected in /tmp/mnt/sda1/skynet/skynet.log - 2.1M
Monitoring From Jul 20 18:49:35 To Jul 23 17:45:48
7773 Block Events Detected
1737 Unique IPs
0 Manual Bans Issued

Top 10 Targeted Ports (Inbound); (Torrent Clients May Cause Excess Hits In Debug Mode)
541x https://www.speedguide.net/port.php?port=23
319x https://www.speedguide.net/port.php?port=22
296x https://www.speedguide.net/port.php?port=5060
279x https://www.speedguide.net/port.php?port=16403
194x https://www.speedguide.net/port.php?port=1433
92x https://www.speedguide.net/port.php?port=8080
88x https://www.speedguide.net/port.php?port=81
87x https://www.speedguide.net/port.php?port=3389
72x https://www.speedguide.net/port.php?port=8088
68x https://www.speedguide.net/port.php?port=2323

Top 10 Source Ports (Inbound);
279x https://www.speedguide.net/port.php?port=16387
219x https://www.speedguide.net/port.php?port=55270
219x https://www.speedguide.net/port.php?port=51073
102x https://www.speedguide.net/port.php?port=53887
102x https://www.speedguide.net/port.php?port=50426
88x https://www.speedguide.net/port.php?port=43319
81x https://www.speedguide.net/port.php?port=65535
66x https://www.speedguide.net/port.php?port=50926
60x https://www.speedguide.net/port.php?port=59020
60x https://www.speedguide.net/port.php?port=56904

Last 10 Unique Connections Blocked (Inbound);
https://otx.alienvault.com/indicator/ip/31.162.142.27
https://otx.alienvault.com/indicator/ip/146.185.222.27
https://otx.alienvault.com/indicator/ip/78.128.112.46
https://otx.alienvault.com/indicator/ip/79.124.56.142
https://otx.alienvault.com/indicator/ip/103.114.105.94
https://otx.alienvault.com/indicator/ip/146.185.222.9
https://otx.alienvault.com/indicator/ip/217.61.96.4
https://otx.alienvault.com/indicator/ip/5.188.207.45
https://otx.alienvault.com/indicator/ip/5.188.10.103
https://otx.alienvault.com/indicator/ip/5.188.207.80

Last 10 Unique Connections Blocked (Outbound);
https://otx.alienvault.com/indicator/ip/17.173.254.223
https://otx.alienvault.com/indicator/ip/216.218.254.202

Last 10 Manual Bans;

Last 10 Unique HTTP(s) Blocks (Outbound);
https://otx.alienvault.com/indicator/ip/66.6.44.4
https://otx.alienvault.com/indicator/ip/151.139.236.44
https://otx.alienvault.com/indicator/ip/104.27.128.181
https://otx.alienvault.com/indicator/ip/104.27.129.181
https://otx.alienvault.com/indicator/ip/216.40.47.17
https://otx.alienvault.com/indicator/ip/23.236.62.147

Top 10 HTTP(s) Blocks (Outbound);
202x https://otx.alienvault.com/indicator/ip/104.27.128.181
195x https://otx.alienvault.com/indicator/ip/104.27.129.181
42x https://otx.alienvault.com/indicator/ip/66.6.44.4
28x https://otx.alienvault.com/indicator/ip/216.40.47.17
14x https://otx.alienvault.com/indicator/ip/23.236.62.147
14x https://otx.alienvault.com/indicator/ip/151.139.236.44

Top 10 Blocks (Inbound);
279x https://otx.alienvault.com/indicator/ip/17.173.254.223
219x https://otx.alienvault.com/indicator/ip/79.124.56.142
219x https://otx.alienvault.com/indicator/ip/77.72.85.25
145x https://otx.alienvault.com/indicator/ip/181.214.87.113
125x https://otx.alienvault.com/indicator/ip/51.15.153.3
103x https://otx.alienvault.com/indicator/ip/146.185.222.36
102x https://otx.alienvault.com/indicator/ip/78.128.112.50
90x https://otx.alienvault.com/indicator/ip/146.185.222.13
89x https://otx.alienvault.com/indicator/ip/146.185.222.27
88x https://otx.alienvault.com/indicator/ip/173.249.13.63

Top 10 Blocks (Outbound);
145x https://otx.alienvault.com/indicator/ip/17.173.254.223
1x https://otx.alienvault.com/indicator/ip/216.218.254.202

Top 10 Blocked Devices (Outbound);
453x 192.168.1.219 SAMSUNG-SM-N950U
145x 192.168.1.229 Skyes-iPod
43x 192.168.1.169 *

Skynet: [Complete] 107009 IPs / 1773 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 11 Inbound / 0 Outbound Connections Blocked! [stats] [7s]


Press Enter To Continue...

 

[visortgw]

Anyone care to take a stab at why I am getting hammered by speedguide.net and bigger yet why Alienvault is hammering me?

The REALLY strange thing is I did read a couple pages about Alien Vault today while at work on my phone. Nowhere near my network. I haven't searched it since getting home and even if a page loaded in the background I can't see it generating this much traffic......


/jffs/scripts/firewall stats 10

Debug Data Detected in /tmp/mnt/sda1/skynet/skynet.log - 2.1M
Monitoring From Jul 20 18:49:35 To Jul 23 17:45:48
7773 Block Events Detected
1737 Unique IPs
0 Manual Bans Issued

Top 10 Targeted Ports (Inbound); (Torrent Clients May Cause Excess Hits In Debug Mode)
541x https://www.speedguide.net/port.php?port=23
319x https://www.speedguide.net/port.php?port=22
296x https://www.speedguide.net/port.php?port=5060
279x https://www.speedguide.net/port.php?port=16403
194x https://www.speedguide.net/port.php?port=1433
92x https://www.speedguide.net/port.php?port=8080
88x https://www.speedguide.net/port.php?port=81
87x https://www.speedguide.net/port.php?port=3389
72x https://www.speedguide.net/port.php?port=8088
68x https://www.speedguide.net/port.php?port=2323

Top 10 Source Ports (Inbound);
279x https://www.speedguide.net/port.php?port=16387
219x https://www.speedguide.net/port.php?port=55270
219x https://www.speedguide.net/port.php?port=51073
102x https://www.speedguide.net/port.php?port=53887
102x https://www.speedguide.net/port.php?port=50426
88x https://www.speedguide.net/port.php?port=43319
81x https://www.speedguide.net/port.php?port=65535
66x https://www.speedguide.net/port.php?port=50926
60x https://www.speedguide.net/port.php?port=59020
60x https://www.speedguide.net/port.php?port=56904

Last 10 Unique Connections Blocked (Inbound);
https://otx.alienvault.com/indicator/ip/31.162.142.27
https://otx.alienvault.com/indicator/ip/146.185.222.27
https://otx.alienvault.com/indicator/ip/78.128.112.46
https://otx.alienvault.com/indicator/ip/79.124.56.142
https://otx.alienvault.com/indicator/ip/103.114.105.94
https://otx.alienvault.com/indicator/ip/146.185.222.9
https://otx.alienvault.com/indicator/ip/217.61.96.4
https://otx.alienvault.com/indicator/ip/5.188.207.45
https://otx.alienvault.com/indicator/ip/5.188.10.103
https://otx.alienvault.com/indicator/ip/5.188.207.80

Last 10 Unique Connections Blocked (Outbound);
https://otx.alienvault.com/indicator/ip/17.173.254.223
https://otx.alienvault.com/indicator/ip/216.218.254.202

Last 10 Manual Bans;

Last 10 Unique HTTP(s) Blocks (Outbound);
https://otx.alienvault.com/indicator/ip/66.6.44.4
https://otx.alienvault.com/indicator/ip/151.139.236.44
https://otx.alienvault.com/indicator/ip/104.27.128.181
https://otx.alienvault.com/indicator/ip/104.27.129.181
https://otx.alienvault.com/indicator/ip/216.40.47.17
https://otx.alienvault.com/indicator/ip/23.236.62.147

Top 10 HTTP(s) Blocks (Outbound);
202x https://otx.alienvault.com/indicator/ip/104.27.128.181
195x https://otx.alienvault.com/indicator/ip/104.27.129.181
42x https://otx.alienvault.com/indicator/ip/66.6.44.4
28x https://otx.alienvault.com/indicator/ip/216.40.47.17
14x https://otx.alienvault.com/indicator/ip/23.236.62.147
14x https://otx.alienvault.com/indicator/ip/151.139.236.44

Top 10 Blocks (Inbound);
279x https://otx.alienvault.com/indicator/ip/17.173.254.223
219x https://otx.alienvault.com/indicator/ip/79.124.56.142
219x https://otx.alienvault.com/indicator/ip/77.72.85.25
145x https://otx.alienvault.com/indicator/ip/181.214.87.113
125x https://otx.alienvault.com/indicator/ip/51.15.153.3
103x https://otx.alienvault.com/indicator/ip/146.185.222.36
102x https://otx.alienvault.com/indicator/ip/78.128.112.50
90x https://otx.alienvault.com/indicator/ip/146.185.222.13
89x https://otx.alienvault.com/indicator/ip/146.185.222.27
88x https://otx.alienvault.com/indicator/ip/173.249.13.63

Top 10 Blocks (Outbound);
145x https://otx.alienvault.com/indicator/ip/17.173.254.223
1x https://otx.alienvault.com/indicator/ip/216.218.254.202

Top 10 Blocked Devices (Outbound);
453x 192.168.1.219 SAMSUNG-SM-N950U
145x 192.168.1.229 Skyes-iPod
43x 192.168.1.169 *

Skynet: [Complete] 107009 IPs / 1773 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 11 Inbound / 0 Outbound Connections Blocked! [stats] [7s]


Press Enter To Continue...

You are not being "hammered" by those two servers. They are simply URLs provided by Skynet to aid in investigating the ports and IPs that are indeed trying to get in!

 

[jamesnmandy]

Now I'm confused....

You are not being "hammered" by those two servers. They are simply URLs provided by Skynet to aid in investigating the ports and IPs that are indeed trying to get in!

 

[visortgw]

Now I'm confused....

For example, https://www.speedguide.net/port.php?port=23 gives you info on typical traffic for port 23, and https://otx.alienvault.com/indicator/ip/17.173.254.223 gives you info on the IP 17.173.254.223 that is trying to come in.

 

[jamesnmandy]

.. correct... and look at the number of events inside of 3 days.....that seems excessive (aka hammering)

For example, https://www.speedguide.net/port.php?port=23 gives you info on typical traffic for port 23, and https://otx.alienvault.com/indicator/ip/17.173.254.223 gives you info on the IP 17.173.254.223 that is trying to come in.

 

[visortgw]

.. correct... and look at the number of events inside of 3 days.....that seems excessive (aka hammering)

But NOT by speedguide.net and alienvault.com! Those are just URLS to supply info about the IPs that ARE "hammering" you and what ports they are using....

 

[jamesnmandy]

Now I get it. I thought those were the resolved url's that the connections originated from or were going to. It's telling me to use those websites to look up more info on these addresses then....

But NOT by speedguide.net and alienvault.com! Those are just URLS to supply info about the IPs that ARE "hammering" you and what ports they are using....

 

[Butterfly Bones]

.. correct... and look at the number of events inside of 3 days.....that seems excessive (aka hammering)

I see 300 to 500 scans per hour from the people running scripts trying to find an opening. Welcome to the modern internet. Thank Skynet for the protection it provides!