Skynet Skynet - Router Firewall & Security Enhancements

[Butterfly Bones]

Hi @Adamm

This is the output of a banmalware update on my AC68U with last beta firmare 384.9_beta1

Downloading filter.list         | [0s]
Refreshing Whitelists           | /opt/bin/firewall: line 4816: can't fork
/opt/bin/firewall: line 4816: can't fork
/opt/bin/firewall: line 4816: can't fork
[12s]
Consolidating Blacklist         | [24s]
Filtering IPv4 Addresses        | [9s]
Filtering IPv4 Ranges           | [0s]
Applying New Blacklist          | [13s]
Refreshing AiProtect Bans       | [0s]
Saving Changes                  | [8s]

what could be the cause of the message "/opt/bin/firewall: line 4816: can't fork"?

thanks
Jan 23 02:25:25 Skynet: [#] 3751 IPs (-145146) -- 27719 Ranges Banned (-1669) || 16231 Inbound -- 446 Outbound Connections Blocked! [banmalware] [25s]

I had the same thing happen today, it was the same 'Refreshing Whitelists' part of the script.
It is running out of memory to allow the process to fork.
I stopped running other sessions to free up some memory to allow the refresh to complete.
(I actually stopped running the 'Log Filter' in AB-Solution which I normally run in one session in 'Xshell 6' and a 'htop' running in another session in 'Xshell 6'. )

I have a swap file setup and this has previously been enough to allow 'banmalware update' to run.
I suspect that as Skynet is developing more and more features etc the memory required to perform some actions is increasing.

Yes, I get it as well. After my AC86U (512 swap file) running non-stop for more than two weeks I will get the same. I check the banmalware update line later in the morning and see something like this:

Jan 23 02:25:25 Skynet: [#] 3751 IPs (-145146) -- 27719 Ranges Banned (-1669) || 16231 Inbound -- 446 Outbound Connections Blocked! [banmalware] [52s]

I manually run banwalware update and get something like this:

[$] /jffs/scripts/firewall banmalware 
==================================
[i] Downloading filter.list         | [0s]
[i] Refreshing Whitelists           | /jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
[1s]
[i] Consolidating Blacklist         | [11s]
[i] Filtering IPv4 Addresses        | [2s]
[i] Filtering IPv4 Ranges           | [0s]
[i] Applying New Blacklist          | [3s]
[i] Refreshing AiProtect Bans       | [0s]
[i] Saving Changes                  | [3s]

Then I reboot the router and run banmalware update again, and it takes less than 20 seconds!

I have seen comments from posters about memory leaks, and they are not confirmed, but I know the AC86U has some quirks, like this for instance. I just setup a cron to run a scheduled reboot once a week (noting reports of the GUI Scheduled reboot not doing a proper umount of the USB disks). I'll see if this solved the "can't fork" leprechaun.

 

[Jack Yaz]

I’m beginning to wonder if Colin Taylor and I are the only 2 Poms here.

Ahem, I hail from Croydon but now live in Cambridge

 

[martinr]

Ahem, I hail from Croydon but now live in Cambridge

I remember now: £600 to have your clutch fixed. Something I’m sure you’d rather forget.

 

[Jack Yaz]

I remember now: £600 to have your clutch fixed. Something I’m sure you’d rather forget.

Or the more recent £400 to fix the engine misfire...

 

[martinr]

Or the more recent £400 to fix the engine misfire...

Oh no! I could have had a word with my contact in Pico Technology, the automotive oscilloscope people in St Neots, and asked them to look at it as a case study.

 

[Adamm]

Hi @Adamm

This is the output of a banmalware update on my AC68U with last beta firmare 384.9_beta1

Downloading filter.list         | [0s]
Refreshing Whitelists           | /opt/bin/firewall: line 4816: can't fork
/opt/bin/firewall: line 4816: can't fork
/opt/bin/firewall: line 4816: can't fork
[12s]
Consolidating Blacklist         | [24s]
Filtering IPv4 Addresses        | [9s]
Filtering IPv4 Ranges           | [0s]
Applying New Blacklist          | [13s]
Refreshing AiProtect Bans       | [0s]
Saving Changes                  | [8s]

what could be the cause of the message "/opt/bin/firewall: line 4816: can't fork"?

thanks

I had the same thing happen today, it was the same 'Refreshing Whitelists' part of the script.
It is running out of memory to allow the process to fork.
I stopped running other sessions to free up some memory to allow the refresh to complete.
(I actually stopped running the 'Log Filter' in AB-Solution which I normally run in one session in 'Xshell 6' and a 'htop' running in another session in 'Xshell 6'. )

I have a swap file setup and this has previously been enough to allow 'banmalware update' to run.
I suspect that as Skynet is developing more and more features etc the memory required to perform some actions is increasing.

Yes, I get it as well. After my AC86U (512 swap file) running non-stop for more than two weeks I will get the same. I check the banmalware update line later in the morning and see something like this:

Jan 23 02:25:25 Skynet: [#] 3751 IPs (-145146) -- 27719 Ranges Banned (-1669) || 16231 Inbound -- 446 Outbound Connections Blocked! [banmalware] [52s]

I manually run banwalware update and get something like this:

[$] /jffs/scripts/firewall banmalware
==================================
[i] Downloading filter.list         | [0s]
[i] Refreshing Whitelists           | /jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
/jffs/scripts/firewall: line 4518: can't fork
[1s]
[i] Consolidating Blacklist         | [11s]
[i] Filtering IPv4 Addresses        | [2s]
[i] Filtering IPv4 Ranges           | [0s]
[i] Applying New Blacklist          | [3s]
[i] Refreshing AiProtect Bans       | [0s]
[i] Saving Changes                  | [3s]

Then I reboot the router and run banmalware update again, and it takes less than 20 seconds!

I have seen comments from posters about memory leaks, and they are not confirmed, but I know the AC86U has some quirks, like this for instance. I just setup a cron to run a scheduled reboot once a week (noting reports of the GUI Scheduled reboot not doing a proper umount of the USB disks). I'll see if this solved the "can't fork" leprechaun.

Anyone who can reproduce this, please post the output of the following (I'd assume its model specific);

free
sh -x /jffs/scripts/firewall banmalware

 

[Sonnendieb]

Hi

Thanks for marvelous script. After installing the script it changes some option in router after reboot, it switches from LAN+WAN to LAN in Administration - System - Service - Enable SSH and closes Web access from WAN in Remote Access Config

I have tried reinstall it but it is the same. Sometimes it changes option without rebooting just after closing and reopening web window

What can I do to prevent that?

asus rt-ac87u Firmware Version: 384.7_2

Many thanks in advance

 

[Adamm]

Hi

Thanks for marvelous script. After installing the script it changes some option in router after reboot, it switches from LAN+WAN to LAN in Administration - System - Service - Enable SSH and closes Web access from WAN in Remote Access Config

I have tried reinstall it but it is the same. Sometimes it changes option without rebooting just after closing and reopening web window

What can I do to prevent that?

asus rt-ac87u Firmware Version: 384.7_2

Many thanks in advance

Thats an intended feature of secure mode (which can be disabled). Accessing SSH via WAN is highly recommended against and a huge security risk. Use an alternative solution like running the OpenVPN server on your router and connecting via that.

 

[Butterfly Bones]

I've pushed v6.7.2

Use random hour between 12pm - 9am for banmalware

For the life of me I can not find where to set the time for banmalware update.
I have a Chromecast that restarts early a.m. and often conflicts with the update. thank you.

Anyone who can reproduce this, please post the output of the following (I'd assume its model specific);

free
sh -x /jffs/scripts/firewall banmalware

Mine is my AC86U, I've been running the free command and saving the output now to compare. I did it in the past looking for memory leaks, but saw nothing significant, and did not save results long term, now I will. I also have htop running in a term, but can find nothing there. As a long time Linux geek, these reboots kill me, having had desktops in the past with over 1000 and 5000 days uptime.

 

[Adamm]

For the life of me I can not find where to set the time for banmalware update.
I have a Chromecast that restarts early a.m. and often conflicts with the update. thank you.

You can't, it picks a random hour at 25 minutes past to spread the load.

 

[Butterfly Bones]

You can't, it picks a random hour at 25 minutes past to spread the load.

Ah, ok, got it. It is just before 0800 here and has not run. Does that random hour change daily?

 

[Adamm]

Ah, ok, got it. It is just before 0800 here and has not run. Does that random hour change daily?

It changes every time Skynet is restarted, you can check all your cronjobs via;

cru l

 

[Twiglets]

Anyone who can reproduce this, please post the output of the following (I'd assume its model specific);

free
sh -x /jffs/scripts/firewall banmalware

For Information:

Now, I can run the above commands without any fork error after recreating my swap file, as advised.
Don't know what caused the problem with the original swap file.

 

[elorimer]

This is the smallest of suggestions: for those of us using a custom syslog location it would be helpful if either in the menu header (where things like the install directory are listed), or perhaps in the place where one sets a custom location, the current location is listed. I know I can find it in skynet.cfg, but this would be a slight help.

I noticed this trying to track down a slight wonkiness in the hourly stripping and the symlink for the webui, but I've also been doing other stuff that could be the cause.

Edit: Found it. When I updated stubby it also updated syslog-ng to 3.17 and overwrote my S01syslog.ng script.

 

[Blackbox]

Hey guys,

Quick question, I added an IP list via "(5) Import IP List" / "(1) Blacklist", which worked fine and Skynet says it added all IPs to the Blacklist and saved the changes.

My question is, where can I find this blacklist, or how can I see which entries are in the blacklist? I basically want to check if all the IPs are really in the blacklist.

Also, when adding IPs to the blacklist this way, it will not replace the IP lists used by default in Skynet, correct?

Thanks a lot!

 

[elintseeker]

@Adamm I'm trying to remove a domain i added from the whitelist.

When removing something from the whitelist its asking for everything, and IP or range, or a match on a comments. When adding a domain to the whitelist I could only add a domain and no prompt for the comment for that entry that i'm adding. Am I missing something?

 

[Adamm]

Hey guys,

Quick question, I added an IP list via "(5) Import IP List" / "(1) Blacklist", which worked fine and Skynet says it added all IPs to the Blacklist and saved the changes.

My question is, where can I find this blacklist, or how can I see which entries are in the blacklist? I basically want to check if all the IPs are really in the blacklist.

Check all the various stats commands in the readme which are used to break down the data.

Also, when adding IPs to the blacklist this way, it will not replace the IP lists used by default in Skynet, correct?

Correct

When removing something from the whitelist its asking for everything, and IP or range, or a match on a comments. When adding a domain to the whitelist I could only add a domain and no prompt for the comment for that entry that i'm adding. Am I missing something?

The comment in this case would be the domain.

 

[EmeraldDeer]

The random hour of banmalware has been effective

Jan 24 02:27:42 router Skynet: [#] 113716 IPs (+24254) -- 1567 Ranges Banned (+202) || 2199 Inbound -- 0 Outbound Connections Blocked! [banmalware] [162s]
Jan 25 02:28:56 router Skynet: [#] 160443 IPs (+46727) -- 1704 Ranges Banned (+137) || 4792 Inbound -- 0 Outbound Connections Blocked! [banmalware] [236s]
Jan 26 02:29:13 router Skynet: [#] 140613 IPs (-19830) -- 1420 Ranges Banned (-284) || 7260 Inbound -- 0 Outbound Connections Blocked! [banmalware] [253s]
Jan 27 02:26:43 router Skynet: [#] 150303 IPs (+9690) -- 1621 Ranges Banned (+201) || 572 Inbound -- 36 Outbound Connections Blocked! [banmalware] [103s]
Jan 28 02:27:51 router Skynet: [#] 151871 IPs (+1568) -- 1490 Ranges Banned (-131) || 94 Inbound -- 0 Outbound Connections Blocked! [banmalware] [171s]
Jan 28 10:16:17 router Skynet: [#] 154012 IPs (+2141) -- 1657 Ranges Banned (+167) || 1101 Inbound -- 0 Outbound Connections Blocked! [banmalware] [14s]
Jan 28 13:51:25 router Skynet: [#] 153138 IPs (-874) -- 1667 Ranges Banned (+10) || 1495 Inbound -- 0 Outbound Connections Blocked! [banmalware] [20s]
Jan 29 03:25:43 router Skynet: [#] 155142 IPs (+2004) -- 1686 Ranges Banned (+19) || 3005 Inbound -- 0 Outbound Connections Blocked! [banmalware] [43s]
Jan 30 02:28:13 router Skynet: [#] 152159 IPs (-2983) -- 1363 Ranges Banned (-323) || 325 Inbound -- 0 Outbound Connections Blocked! [banmalware] [193s]
Jan 30 09:44:47 router Skynet: [#] 156529 IPs (+4370) -- 1637 Ranges Banned (+274) || 6 Inbound -- 0 Outbound Connections Blocked! [banmalware] [17s]
Jan 31 05:55:58 router Skynet: [#] 156501 IPs (-28) -- 1635 Ranges Banned (-2) || 1975 Inbound -- 0 Outbound Connections Blocked! [banmalware] [58s]
Feb  1 08:25:20 router Skynet: [#] 155944 IPs (-557) -- 1609 Ranges Banned (-26) || 1813 Inbound -- 12 Outbound Connections Blocked! [banmalware] [20s]
Feb  2 08:25:17 router Skynet: [#] 155553 IPs (-391) -- 1593 Ranges Banned (-16) || 4213 Inbound -- 12 Outbound Connections Blocked! [banmalware] [17s]
Feb  3 00:25:17 router Skynet: [#] 152619 IPs (-2934) -- 1611 Ranges Banned (+18) || 842 Inbound -- 0 Outbound Connections Blocked! [banmalware] [17s]

 

[martinr]

Ran into some problems whereby my Asus DDNS (....asuscomm.com) wouldn’t resolve. In case anyone comes across this, you may need to whitelist:

nwsrv-ns1.asus.com

(Note: that is a “one” in “ns1”)

 

[Blackbox]

Hey guys,

I have an odd problem, Skynet won't start anymore using amtm menu. It gives me the error message: "Skynet: [*] USB Not Found - Sleeping For 10 Seconds" and does 10 attempts without any luck and goes back to amtm menu. Therefore I also cannot uninstall Skynet and Reinstall it.

There is a USB drive attached to the router which works (as Diversion and amtm is installed on it).

Any idea how to solve that?