Skynet Skynet - Router Firewall & Security Enhancements

[miniterror]

Is this really that old?

Skynet: [ERROR] IPSet Extensions Not Supported - Please Update To Latest Firmware
admin@RT-AC68U-5770:/tmp/home/root#
admin@RT-AC68U-5770:/tmp/home/root#
admin@RT-AC68U-5770:/tmp/home/root# iptables -V
iptables v1.4.14
admin@RT-AC68U-5770:/tmp/home/root# ipset -V
ipset v6.29, protocol version: 6
admin@RT-AC68U-5770:/tmp/home/root#

On page one i see a post with a lower version

 

[Adamm]

Is this really that old?

Skynet: [ERROR] IPSet Extensions Not Supported - Please Update To Latest Firmware
admin@RT-AC68U-5770:/tmp/home/root#
admin@RT-AC68U-5770:/tmp/home/root#
admin@RT-AC68U-5770:/tmp/home/root# iptables -V
iptables v1.4.14
admin@RT-AC68U-5770:/tmp/home/root# ipset -V
ipset v6.29, protocol version: 6
admin@RT-AC68U-5770:/tmp/home/root#

On page one i see a post with a lower version

Skynet requires the comment extension which is only present in builds within the last year or so.

 

[agilani]

Same problem after auto update to skynet 6.3.3
Sep 3 01:25:02 Skynet: [INFO] New Version Detected - Updating To v6.3.3...

no access to skynet and checking status results in
admin@RT-AC88U-17F0:/tmp/home/root# firewall
-sh: firewall: Text file busy
admin@RT-AC88U-17F0:/tmp/home/root#

looks like there is some sort of problem with auto update
Had to hard reset and Looks like the update failed, still on 6.3.2

Router Model; RT-AC88U
Skynet Version; v6.3.2 (29/07/2018)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.6_0 (Jul 25 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/ASUS/skynet (6.0G / 7.4G Space Available)
SWAP File; /tmp/mnt/ASUS/myswap.swp (1.0G)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/ASUS/skynet
Banned Countries; CN RU VN

 

[Adamm]

Same problem after auto update to skynet 6.3.3
Sep 3 01:25:02 Skynet: [INFO] New Version Detected - Updating To v6.3.3...

no access to skynet and checking status results in
admin@RT-AC88U-17F0:/tmp/home/root# firewall
-sh: firewall: Text file busy
admin@RT-AC88U-17F0:/tmp/home/root#

looks like there is some sort of problem with auto update
Had to hard reset and Looks like the update failed, still on 6.3.2

Router Model; RT-AC88U
Skynet Version; v6.3.2 (29/07/2018)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.6_0 (Jul 25 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/ASUS/skynet (6.0G / 7.4G Space Available)
SWAP File; /tmp/mnt/ASUS/myswap.swp (1.0G)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/ASUS/skynet
Banned Countries; CN RU VN

Looks like a USB mounting issue, I suggest you reboot the router and try again.

 

[Adamm]

I've pushed v6.4.1

Code cleanup for the new extended stats function
Fixed bug with incorrect device name in stats
Improved cronjob management
Add new "Settings" menu option (and CLI commands) and moved appropriate toggles
Added new toggles in settings menu (autoupdate/banmalware/debugmode/filtermode)

 

[Twiglets]

I've pushed v6.4.1

Code cleanup for the new extended stats function
Fixed bug with incorrect device name in stats
Improved cronjob management
Add new "Settings" menu option (and CLI commands) and moved appropriate toggles
Added new toggles in settings menu (autoupdate/banmalware/debugmode/filtermode)

Adamm,

One thing I have noticed is that you cannot abort the sub menu '11' by typing 'e'.
Other sub menus allow you to exit by typing 'e' even though it is not a listed option.

P.S.
Thanks for all the hard work on Skynet, very much appreciated

 

[Adamm]

Adamm,

One thing I have noticed is that you cannot abort the sub menu '11' by typing 'e'.
Other sub menus allow you to exit by typing 'e' even though it is not a listed option.

Thanks, I pushed a hotfix. No version change so you will need to force update.

 

[M@rco]

To my surprise https://twitter.com wouldn't load anymore and I found out why. Apparently it was in BanMalware (custom: default + Firehol Level 1):

/opt/bin/firewall stats search ip 104.244.42.129 10

Debug Data Detected in /tmp/mnt/sandisk/skynet/skynet.log - 4.5M
Monitoring From Aug 31 23:25:37 To Sep 8 16:58:56
17812 Block Events Detected
3807 Unique IPs
0 Manual Bans Issued

104.244.42.129 is NOT in set Skynet-Whitelist.
104.244.42.129 is in set Skynet-Blacklist.
104.244.42.129 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
 "BanMalware"


Associated Domain(s);
twitter.com

Any idea how something like this can happen? Don't the source lists get cross referenced to prevent blocks like this?

 

[skeal]

I have a crazy question. I logged an outgoing block. Is there any way that the block could be a false positive. What I mean is, could the dropped packet information in the log for the outgoing event be wrong? The source is from my security systems wifi address. The destination looks to be Kiev, Ukraine. Using port 123 as the destination port. I called the security company and asked them and they insist the information is some how wrong. The drop log is below:

Sep  5 17:38:44 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=hidden info SRC=192.168.xx.13 DST=193.27.209.20 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=11559 DF PROTO=UDP SPT=33473 DPT=123 LEN=56

Any thoughts anyone?

EDIT: The drop was done because I have the Ukraine blocked.

 

[skeal]

I reset my router to defaults and manually configured. Since then I have no outgoing blocks from my security system or any address for that matter.

 

[skeal]

This wasn't a one of, it happened over 400 times in 2 days.

Pinging @Adamm

Edit: Could this be linked to using the DoS setting on the firewall page?

 

[Adamm]

Any idea how something like this can happen? Don't the source lists get cross referenced to prevent blocks like this?

Like previously mentioned, firehol lists are a combination of dozens of smaller lists combined. Only takes one poorly managed list to affect them all.

This wasn't a one of, it happened over 400 times in 2 days.

Pinging @Adamm

Edit: Could this be linked to using the DoS setting on the firewall page?

This was no accident, your client is trying to initiate those connections to the IP in question. For what reason I think is the good question (maybe there's some sort of remote management feature etc)

 

[Jack Yaz]

This wasn't a one of, it happened over 400 times in 2 days.

Pinging @Adamm

Edit: Could this be linked to using the DoS setting on the firewall page?

Port 123 is NTP, if I'm not mistaken

 

[M@rco]

Any thoughts anyone?

Port 123 is NTP, if I'm not mistaken

Yes, indeed. And looking at a reverse IP lookup, this IP is a legit ntp server in both 1.ua.pool.ntp.org as well as 2.europe.pool.ntp.org. Could it be it was just your alarm system trying to sync its time with an ntp server, but the request was marked as invalid because of your Ukraine country ban?

 

[skeal]

Yes, indeed. And looking at a reverse IP lookup, this IP is a legit ntp server in both 1.ua.pool.ntp.org as well as 2.europe.pool.ntp.org. Could it be it was just your alarm system trying to sync its time with an ntp server, but the request was marked as invalid because of your Ukraine country ban?

Thank you so much sir. You have put my mind at rest. It looked to me that it was a legit NTP request also. I'm just wondering why a USA security company installed in central Canada would need to sync time with a server in the Ukraine? Hmmm....bit of a mystery.

 

[HardCat]

Thank you so much sir. You have put my mind at rest. It looked to me that it was a legit NTP request also. I'm just wondering why a USA security company installed in central Canada would need to sync time with a server in the Ukraine? Hmmm....bit of a mystery.

A couple of Belkin Wemo devices in use here and I recently discovered they are attempting to contact NTP server owned by Dept. Of Defense (DOD) located in Virginia, USA! I guess the Canadian servers are not good enough...for Wemo of course!

 

[skeal]

A couple of Belkin Wemo devices in use here and I recently discovered they are attempting to contact NTP server owned by Dept. Of Defense (DOD) located in Virginia, USA! I guess the Canadian servers are not good enough...for Wemo of course!

That's it!!!!! I know what it is. Thanks for jogging my memory. I installed 5 or 6 new z-wave devices on my security systems network. It is probably one of those devices communicating through my panel to the time server! Thanks everyone for the help.

 

[skeal]

Hey I came across another problem @Adamm when you clear stats with the reset feature in the gui, it always leaves 1 outbound block on the hourly stats line entry in the system log. I tried this several times. Can you replicate?

 

[Adamm]

Hey I came across another problem @Adamm when you clear stats with the reset feature in the gui, it always leaves 1 outbound block on the hourly stats line entry in the system log. I tried this several times. Can you replicate?

No I can't actually.

Skynet: [Complete] 113212 IPs / 1684 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 348 Inbound / 119 Outbound Connections Blocked! [stats] [4s]

admin@RT-AC86U-2EE8:/tmp/home/root# firewall stats reset
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 07/09/2018 -           Asus Firewall Addition By Adamm v6.4.1                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


Debug Data Detected in /tmp/mnt/Elements/skynet/skynet.log - 5.0M
Monitoring From Sep 8 09:00:10 To Sep 10 19:46:25
21951 Block Events Detected
3889 Unique IPs
0 Manual Bans Issued

Stat Data Reset

Skynet: [Complete] 113212 IPs / 1684 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [stats] [1s]

This value is taken straight from IPTables;

Skynet: [Complete] 113212 IPs / 1684 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 11 Inbound / 0 Outbound Connections Blocked! [stats] [2s]

admin@RT-AC86U-2EE8:/tmp/home/root# iptables --line -t raw -vnL
Chain PREROUTING (policy ACCEPT 8763 packets, 1453K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        all  --  br0    *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist dst match-set Skynet-Master dst LOG flags 7 level 4 prefix "[BLOCKED - OUTBOUND] "
2        0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist dst match-set Skynet-Master dst
3       11   834 LOG        all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist src match-set Skynet-Master src LOG flags 7 level 4 prefix "[BLOCKED - INBOUND] "
4       11   834 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist src match-set Skynet-Master src

Chain OUTPUT (policy ACCEPT 5126 packets, 74M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist dst match-set Skynet-Master dst LOG flags 7 level 4 prefix "[BLOCKED - OUTBOUND] "
2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist dst match-set Skynet-Master dst

 

[Adamm]

I've pushed v6.4.2

This update mostly involves UI improvements, along with the hotfixes since the last update. Please let me know if there is any odd (missing/incorrect/badly formatted) output in this update as around 300 strings had to be manually edited. You will notice the settings menu option is much more informative.

Hopefully this makes Skynet a little more aesthetically pleasing as its output was kind of all over the place.



Edit; If you downloaded in the last 20 minutes, please force update for a small hotfix.