Skynet Skynet - Router Firewall & Security Enhancements

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Adamm

Part of the Furniture
It happened to me as well.

I removed the USB Drive, put it back and Skynet came back.
That error only happens if your install directory goes missing (perhaps it was remounted as a different device) or you change the device label.

Why is a USB drive required? I have not found an answer to this. I am sure the answer is quite simple as there is not enough storage on the router in the JFFS area but I have not seen this question asked or an explanation provided.
To cater for the swap file. While Skynet doesn't use a large amount of ram, a recent broadcom SDK update led to some devices spitting fork() errors when running additional processes. The only way to fix this error was to use a swap file
 

alexandro

Occasional Visitor
Adamm, why info about Astrill removed from Readme.md? Astrill not compatible with the Skynet or it's another reason?
PIA hasn't router plugin like Astrill.
PIA acquired by London Trust Media, and CTO of London Trust Media is former CEO of Mt. Gox. PIA is USA-based. Sounds bad...
 

Adamm

Part of the Furniture
Adamm, why info about Astrill removed from Readme.md? Astrill not compatible with the Skynet or it's another reason?
PIA hasn't router plugin like Astrill.
PIA acquired by London Trust Media, and CTO of London Trust Media is former CEO of Mt. Gox. PIA is USA-based. Sounds bad...
Astrill have no intent to update their OpenVPN implementation going forward and want to switch completely to Wireguard. PIA on the other hand are focused on OpenVPN and have a much more updated implementation.
 

EmeraldDeer

Very Senior Member
Hardware or Software Instability? Actually no, Internet port scan denial of service
There have been a handful of instances with my new router where I lose connectivity and then what appears to me to be a hardware reset of the LAN switch and syslog messages about a WAN outage.
Code:
Feb  8 23:05:54 WAN_Connection: WAN was exceptionally disconnected.
Feb  8 23:05:54 DualWAN: skip single wan wan_led_control - WANRED off
Feb  8 23:06:06 WAN_Connection: WAN was restored.
When connectivity comes back I seem to have lost the syslog entries before and perhaps during the event except for WAN.

I am now using Skynet. Optionally I have chosen to log INVALID blocked connections in addition to INBOUND blocked connections. Other users have not been fans of the Skynet syslog entries.

I am also using Cygwin 64 syslog-ng on a Windows computer as a central, remote syslog for three network devices including the router. I am OK with all of the Skynet entries that do not get cleaned up hourly as they do on the router.

The connectivity outage has happened again, but this time I have the logs on my remote syslog server to know what it is caused by. Over the course of a few minutes, I receive at least a thousand INVALID SYN packets to various TCP ports. The time gaps in the log suggest a lot more packets are involved.

I submitted an abuse web form to the ISP of the source IP in Germany.

Without the logs I would have been suspecting problems with the hardware or the firmware. I do have DoS protection enabled even though this situation is beyond the help of rate limiting.

Code:
Top 10 Blocks (Invalid);


--------   | --------------   | --------------                                          | ----------------------
| Hits |   | | IP Address |   | | AlienVault |                                          | | Associated Domains |
--------   | --------------   | --------------                                          | ----------------------

1628x      | 88.99.37.190     | https://otx.alienvault.com/indicator/ip/88.99.37.190    |
Update: I was poking around in the Fing app. There is a feature which you cannot disable called Network Vulnerability Test. Apparently it performs a port scan from the Internet from time to time. Since I had recently enabled incoming IPSEC VPN, I was curious whether Fing could tell. The history showed nothing. So I decided to run it ad hoc.

Guess what, the Fing network vulnerability test has been the cause of the outages from IP address 88.99.37.190. It blasts your router with so many SYN packets in a couple of minutes that it takes you offline. And the history coincided with the outage from Friday night.

I am f***ing done with Fing. I had been on the fence with regard to the overall value of Fing compared to the breadth of data they were extracting and storing in the cloud. I deleted the networks from the app, deactivated and disconnected the Fing device on my network and deleted the Fing apps. Wow.
 
Last edited:

cmkelley

Very Senior Member
@Adamm, does Skynet use any messages besides the "[BLOCKED - ..." messages for statistics? Syslog-ng is doing some weird things, but if the BLOCKED messages are all it uses, I can ignore it and simplify my filter a bit.
 

Adamm

Part of the Furniture
@Adamm, does Skynet use any messages besides the "[BLOCKED - ..." messages for statistics? Syslog-ng is doing some weird things, but if the BLOCKED messages are all it uses, I can ignore it and simplify my filter a bit.
Theres also the log messages (which Skynet also purges).

Code:
Feb 10 15:30:31 Skynet: [#] 147242 IPs (+0) -- 1670 Ranges Banned (+0) || 173 Inbound -- 30 Outbound Connections Blocked! [stats] [4s]
 

cmkelley

Very Senior Member
Theres also the log messages (which Skynet also purges).

Code:
Feb 10 15:30:31 Skynet: [#] 147242 IPs (+0) -- 1670 Ranges Banned (+0) || 173 Inbound -- 30 Outbound Connections Blocked! [stats] [4s]
Okay, thanks. I'll make sure those are going into the file Skynet is scraping.
 

Adamm

Part of the Furniture
I've pushed v6.7.3

This version now generates the CDN whitelist dynamically rather then pull a static file from the Git repo.
 

skeal

Part of the Furniture

DonnyJohnny

Very Senior Member
I've pushed v6.7.3

This version now generates the CDN whitelist dynamically rather then pull a static file from the Git repo.
Don’t know which list is blocking ipinfo.io, causing banmalware update to hang during refreshing whitelist.
Lol.
Whitelist it already....
 

Adamm

Part of the Furniture
Don’t know which list is blocking ipinfo.io, causing banmalware update to hang during refreshing whitelist.
Lol.
Whitelist it already....
Code:
sh /jffs/scripts/firewall stats search malware xxx.xxx.xxx.xxx
 

elorimer

Very Senior Member
I'm curious about the two logs that are in the skynetloc directory: skynet.log and event.log. What are they used for? Also, they seem to be purged periodically. Do they have a use separate from the syslog logging?
 

Adamm

Part of the Furniture
I'm curious about the two logs that are in the skynetloc directory: skynet.log and event.log. What are they used for? Also, they seem to be purged periodically. Do they have a use separate from the syslog logging?
Thats where Skynet moves the pruned entries from the syslog for stat collection.
 

Adamm

Part of the Furniture
I've pushed v6.7.4

  • Various whitelist optimizations
  • Show custom syslog location in debug info
 

Milan

Senior Member
i just installed Skynet on my AC3200 and it seems that your install script is not aware of the usage of the swap partition. can you add the option to use a swap partition instead of creating of additional swap file?
 

duceyaj

New Around Here
i just installed Skynet on my AC3200 and it seems that your install script is not aware of the usage of the swap partition. can you add the option to use a swap partition instead of creating of additional swap file?
I created my swap partition with AMTM and skynet was able to see it during install.

Sent from my SM-G965U1 using Tapatalk
 

jsbeddow

Senior Member
I created my swap partition with AMTM and skynet was able to see it during install.

Sent from my SM-G965U1 using Tapatalk
AMTM creates a swap file, not a swap partition. This has been discussed before in the forums, and the conclusion was that a swap file is what is needed, NOT a swap partition.
 

consorts

Senior Member
just reporting in case others with diversion+skynet see similar;
i woke up this morning with my ac3100 cpu with one thread at 100% while everyone was still sleeping, soft reboot didn't work, so i power cycled and that got my cpu util% back to normal. i noticed this seems to happen when one of you push out an update and seems to fall out of list sync o_O i donno, that's just my primitive diagnosis.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top