Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Oh totally understand about scope and I support that approach.

But if the logs can exported to a PC some tool may exist or could be leveraged somehow.. Just curious.

Sent from my SM-G965F using Tapatalk

Geoiplookup using the maxmind database might be worth looking into. Looks to be CLI friendly. Considering trying it myself.

With a little push from insomnia and bordem, I looked into this a-little further. I was able to achieve the desired result without a third party binary/database, but it came at a pretty extensive performance cost.

The problem is to-do this it requires a curl request for every listed entry. With the stat page this can mean hundreds of requests, which are slooooooooow. The best case scenario here increased total runtime on my AC86U from 6s => 20s which personally I don't find a good trade off. I'll see if adding this information makes sense in smaller use cases (individual ip lookup etc), but on the stat page as a whole it just not worth it right now.

 

[agilani]

With a little push from insomnia and bordem, I looked into this a-little further. I was able to achieve the desired result without a third party binary/database, but it came at a pretty extensive performance cost.

The problem is to-do this it requires a curl request for every listed entry. With the stat page this can mean hundreds of requests, which are slooooooooow. The best case scenario here increased total runtime on my AC86U from 6s => 20s which personally I don't find a good trade off. I'll see if adding this information makes sense in smaller use cases (individual ip lookup etc), but on the stat page as a whole it just not worth it right now.

Maybe an option that can be turned on for short periods of time?

 

[bitmonster]

I think offloading to an external device like a PC is the way to go. There may even be Linux tools around that can be used with a Linux install or bootable Linux disc.

I agree, don't load up the router any more than absolutely necessary.

It is even possible to command Syslog to send logs live to an external device. Practically anything would be better suited than using the router. Even a phone if the software was available.

E.g that Curl script could be offloaded to an external PC running Linux. Not ideal as it would need to be left running but is still better than loading up the router.

 

[Torson]

Hi, may I please have some guidance on how to extract in one line the number of Passed / Enabled / Disabled statements from the output of 'sh /jffs/scripts/firewall debug info' (i.e. Passed 15 / Enabled 7 / Disabled 2. ) I understand that all those may and/or will change with the evolution of your code - however, I can always go back and run the sh to find out out what's changed. Appreciate and thank you.

 

[agilani]

I think offloading to an external device like a PC is the way to go. There may even be Linux tools around that can be used with a Linux install or bootable Linux disc.

I agree, don't load up the router any more than absolutely necessary.

It is even possible to command Syslog to send logs live to an external device. Practically anything would be better suited than using the router. Even a phone if the software was available.

E.g that Curl script could be offloaded to an external PC running Linux. Not ideal as it would need to be left running but is still better than loading up the router.

It's called ELK and splunk

I sure wouldn't mind a built in asn and country lookup for skynet

 

[Adamm]

Maybe an option that can be turned on for short periods of time?

Unfortunately there's a second limitation which is out of my hands. Most of these API's require a subscription to use, and the ones that don't limit the amount of requests and speed of requests to force you to their paid options. As you can imagine sending 100+ requests minimum at one time hits these free limits almost instantly.

Hi, may I please have some guidance on how to extract in one line the number of Passed / Enabled / Disabled statements from the output of 'sh /jffs/scripts/firewall debug info' (i.e. Passed 15 / Enabled 7 / Disabled 2. ) I understand that all those may and/or will change with the evolution of your code - however, I can always go back and run the sh to find out out what's changed. Appreciate and thank you.

You would be better off just referencing and using the source code and modifying it to your needs.

 

[Adamm]

I've pushed v6.5.2

This adds country/asn info to the "stats search ip xxx.xxx.xxx.xxx" command. In the future we can look at expanding this functionality, but at the current time this is the only place it makes sense due to the various limitations in place.

 

[SMS786]

After formatting, reinstall Skynet as per the usual command. After installing Skynet run the restore command, Skynet will first look for the backup in its install directory, if not found it will ask you to manually specify the path.

Thanks much!

 

[bitmonster]

It's called ELK and splunk

I sure wouldn't mind a built in asn and country lookup for skynet

Yeah well built in weighs it down or hits other limitations..

Splunk or ELK sounds like a better option...

Can we periodically collect logs for offloaded analysis or something..

Sent from my SM-G965F using Tapatalk

 

[Mutzli]

I've pushed v6.5.2

This adds country/asn info to the "stats search ip xxx.xxx.xxx.xxx" command. In the future we can look at expanding this functionality, but at the current time this is the only place it makes sense due to the various limitations in place.

Works great, but shouldn't there be a time/date stamp after "(i) 46.101.135.146 First Tracked On " and after "(i) 46.101.135.146 Last Tracked On "?

 

[M@rco]

This adds country/asn info to the "stats search ip xxx.xxx.xxx.xxx" command. In the future we can look at expanding this functionality, but at the current time this is the only place it makes sense due to the various limitations in place.

Just wondering: I noticed Alienvault provides location info as well and Skynet is already consulting Alienvault. Wouldn't this be easier? Or is it hard to retrieve the country info when querying Alienvault?

 

[Adamm]

Works great, but shouldn't there be a time/date stamp after "(i) 46.101.135.146 First Tracked On " and after "(i) 46.101.135.146 Last Tracked On "?
View attachment 14819

As you can see, there are no logs for that specific IP so the output is correct.

Just wondering: I noticed Alienvault provides location info as well and Skynet is already consulting Alienvault. Wouldn't this be easier? Or is it hard to retrieve the country info when querying Alienvault?

AlienVault wasn’t designed for this functionality whereas ipapi was.

 

[Sbfnu]

Skynet fully supports (router) OpenVPN implementations and the Astrill VPN Plugin

Can you please explain in greater detail what that means?

Do I have to use the Astrill VPN plugin (I never heard of that VPN provider before) for being able to successfully run the OpenVPN Server after I installed Skynet?

Or does it mean I have to use that plugin when I like to use the Asus router in OpenVPN Client mode?

What is it what that plugin does?
Does it also work with other VPN providers such as Torguard?

 

[Adamm]

Can you please explain in greater detail what that means?

Do I have to use the Astrill VPN plugin (I never heard of that VPN provider before) for being able to successfully run the OpenVPN Server after I installed Skynet?

Or does it mean I have to use that plugin when I like to use the Asus router in OpenVPN Client mode?

What is it what that plugin does?
Does it also work with other VPN providers such as Torguard?

Astrill have a plug-in designed specifically for this firmware which we support. But we also support all regular OpenVPN client/server connections too from other providers.

 

[Mutzli]

As you can see, there are no logs for that specific IP so the output is correct.

Shouldn't there be a log since it was blocked by AIProtection? I did check some of the last few IP addresses that have been blocked by AIProtection, about half do show a log and the other have shows nothing.

 

[Adamm]

Shouldn't there be a log since it was blocked by AIProtection? I did check some of the last few IP addresses that have been blocked by AIProtection, about half do show a log and the other have shows nothing.

Not necessarily. The ban could have taken place days/weeks ago and logs have been rotated since, or it possibly only "knocked" once when AiProtect initially flagged the IP.

 

[Sbfnu]

Given all these exciting developments: What size do you recommend for the USB stick then?

 

[agilani]

Yeah well built in weighs it down or hits other limitations..

Splunk or ELK sounds like a better option...

Can we periodically collect logs for offloaded analysis or something..

Sent from my SM-G965F using Tapatalk

don't know if you caught this when adam posted it earlier for you
↑
Skynet purges its own logs from syslog to "/tmp/mnt/USBNAME/skynet/skynet.log"

or just send your syslog to splunk or ELK from merlin with debug enabled.

 

[Adamm]

Given all these exciting developments: What size do you recommend for the USB stick then?

Skynet's log-file clears its-self once it reaches 10MB, so in total your looking at a maximum total size of Skynet components of ~25MB plus a SWAP file. A cheap USB with a few gigs of space should do the job, 8/16GB drives can be found for next to nothing these days.

 

[Torson]

Hi - I'll repost my request in a different format - background: I have entware installed on the router attached USB stick - 4 main applications: diversion, squid, disk-check and skynet. The first two have a 'check status' command line and show as 'alive' or 'dead', 3rd - disk-check, I tail the last line of the pre-mount log stored on the jffs partition (looking for volume and status - clean or not).
Sorry, I almost forgot nvram-save which is a life saver with the 'start clean' recommendations, before, or after a router firmware update...

Any way of having a relevant skynet status check, please, in one line?