Skynet Skynet - Router Firewall & Security Enhancements

[Butterfly Bones]

Update and re-run banmalware, the issue should correct itsself

Ok, it was running with no issues for me, I was seeing more block and fewer invalid, but no big deal.
Since running the 384.10 beta releases I get kernel: bcm63xx_nand errors every time banmalware runs, though I doubt it is Skynet and I know that it is outside RMerlin control. (sigh...)

Mar 22 10:39:18 Skynet: [%] New Version Detected - Updating To v6.8.4 (41ae62766f615de2484a6d11ca6bb027)
Mar 22 10:39:22 Skynet: [%] Restarting Firewall Service
Mar 22 10:39:22 rc_service: service 8504:notify_rc restart_firewall
Mar 22 10:39:22 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Mar 22 10:39:22 custom_script: Running /jffs/scripts/nat-start
Mar 22 10:39:22 (install_stubby.sh): 8512 Starting Script Execution (checkipv6)
Mar 22 10:39:22 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Mar 22 10:39:22 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/SNB/skynet )
Mar 22 10:39:30 kernel: bcm63xx_nand ff801800.nand: timeout waiting for command 0x1
Mar 22 10:39:31 kernel: bcm63xx_nand ff801800.nand: intfc status f80000e0
Mar 22 10:39:43 Skynet: [#] 217837 IPs (+0) -- 30170 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [21s]
Mar 22 10:40:20 Skynet: [#] 158051 IPs (-59786) -- 29145 Ranges Banned (-1025) || 2 Inbound -- 0 Outbound Connections Blocked! [banmalware] [21s]

 

[Mutzli]

Update and re-run banmalware, the issue should correct itsself

Ahh, that's why I suddenly had over 214,000 IP's. Thanks for the fix. It's now back down to 158,000 IP's.

 

[Elmer]

Okay, I just installed this today, and www.motherjones.com is banned. Who is editing the banmalware list?

 

[skeal]

Okay, I just installed this today, and www.motherjones.com is banned. Who is running the banmalware site?

Read the first post it tells how to unblock your favorite site.

 

[Butterfly Bones]

Okay, I just installed this today, and www.motherjones.com is banned. Who is editing the banmalware list?

Read the first post it tells how to unblock your favorite site.

It is actually in post #2
https://www.snbforums.com/threads/r...wall-security-enhancements.16798/#post-115872

scroll down tot this section:

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

 

[EmeraldDeer]

Okay, I just installed this today, and www.motherjones.com is banned. Who is editing the banmalware list?

Taichung banning this one IP 192.0.66.2 has effected many websites.

--------------       | --------------                                          | --------------                                | ----------------------
| IP Address |       | | AlienVault |                                          | | Ban Reason |                                | | Associated Domains |
--------------       | --------------                                          | --------------                                | ----------------------

192.0.66.2      (US) | https://otx.alienvault.com/indicator/ip/192.0.66.2      | BanMalware: taichung.ipset                    | indiewire.com motherjones.com

Select Menu Option:
[1]  --> Unban
[2]  --> Ban
[3]  --> Banmalware
[4]  --> Whitelist
[5]  --> Import IP List
[6]  --> Deport IP List
[7]  --> Save
[8]  --> Restart Skynet
[9]  --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Settings
[12] --> Debug Options
[13] --> Stats
[14] --> Install Skynet
[15] --> Uninstall

[r]  --> Reload Menu
[e]  --> Exit Menu

[1-15]: 4

Select Whitelist Option:
[1]  --> IP/Range
[2]  --> Domain
[3]  --> Refresh VPN Whitelist
[4]  --> Remove Entries
[5]  --> Refresh Entries
[6]  --> List Entries

[1-7]: 1

Input IP Or Range To Whitelist:

[IP/Range]: 192.0.66.2

Input Comment For Whitelist:

[Comment]:

[$] /opt/bin/firewall whitelist ip 192.0.66.2


=============================================================================================================


[i] Whitelisting 192.0.66.2
[i] Saving Changes


=============================================================================================================


[#] 159869 IPs (-1) -- 1702 Ranges Banned (+0) || 361 Inbound -- 6 Outbound Connections Blocked! [whitelist] [3s]

 

[Elmer]

It is actually in post #2
https://www.snbforums.com/threads/r...wall-security-enhancements.16798/#post-115872

scroll down tot this section:

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Thanks, but I understand how to unblock. It's just I'm a bit concerned that there is some maverick contributing to banmalware that has an agenda against "liberal" websites. Stranger things have happened.

 

[Butterfly Bones]

Thanks, but I understand how to unblock. It's just I'm a bit concerned that there is some maverick contributing to banmalware that has an agenda against "liberal" websites. Stranger things have happened.

I don't think that is why it is listed. It is in the ban list because of some bad actor doing something from a host that is co-hosted by AS2635 Automattic, Inc. Use this Alien Vault Online Threat Exchange (OTX) URL that @EmeraldDeer posted above to see much more information on that domain host, if it is considered malicious, or just some minor script kiddie activity. That OTX site is invaluable!

https://otx.alienvault.com/indicator/ip/192.0.66.2

 

[Centrifuge]

I don't think that is why it is listed. It is in the ban list because of some bad actor doing something from a host that is co-hosted by AS2635 Automattic, Inc. Use this Alien Vault Online Threat Exchange (OTX) URL that @EmeraldDeer posted above to see much more information on that domain host, if it is considered malicious, or just some minor script kiddie activity. That OTX site is invaluable!

https://otx.alienvault.com/indicator/ip/192.0.66.2

The unblock instructions work great, and I unblocked motherjones also. Now I am just wondering how to decipher the AlienVault result, it says the IP (192.0.66.2) is "Not identified as malicious", but I don't see anything on why it was on the blocklist, am I missing it?

 

[joe scian]

Adam
I had to reformat my USB attached to RT-ac5300 . Diversion, SKynet, DNScrypt,Yazi , Pixelserv all installed correctly and I have a 512Mbyte swap file. However when I rebooted router I continually get this message from Skynet - every other program above works fine except Skynet
Skynet: [*] USB Not Found - Sleeping For 10 Seconds ( Attempt 1 Of 10 )
Skynet: [*] USB Not Found - Sleeping For 10 Seconds ( Attempt 2 Of 10 )
finally bombing out after 11 attemts or so

I had to reinstall Skynet from command line to get rid of the problem - any ideas what could have caused this

 

[Adamm]

The unblock instructions work great, and I unblocked motherjones also. Now I am just wondering how to decipher the AlienVault result, it says the IP (192.0.66.2) is "Not identified as malicious", but I don't see anything on why it was on the blocklist, am I missing it?

There are over 500 websites hosted on the same IP, that's unfortunately the nature of shared hosting as it only takes one bad website to get the whole server flagged. If you know the website is legitimate just whitelist and forget

Adam
I had to reformat my USB attached to RT-ac5300 . Diversion, SKynet, DNScrypt,Yazi , Pixelserv all installed correctly and I have a 512Mbyte swap file. However when I rebooted router I continually get this message from Skynet - every other program above works fine except Skynet
Skynet: [*] USB Not Found - Sleeping For 10 Seconds ( Attempt 1 Of 10 )
Skynet: [*] USB Not Found - Sleeping For 10 Seconds ( Attempt 2 Of 10 )
finally bombing out after 11 attemts or so

I had to reinstall Skynet from command line to get rid of the problem - any ideas what could have caused this

Your install path seems to have changed, you can view it via the "debug info" command or the main menu. Re-running the install procedure corrected the issue for you.

 

[unsynaps]

Strangely stopped reporting the country an IP address was from when running stats.

Top 10 Blocks (Inbound);
--------   | --------------       | --------------                                          | --------------                                | ----------------------                                    
| Hits |   | | IP Address |       | | AlienVault |                                          | | Ban Reason |                                | | Associated Domains |                                    
--------   | --------------       | --------------                                          | --------------                                | ----------------------                                    
585x       | 176.48.132.72   ()   | https://otx.alienvault.com/indicator/ip/176.48.132.72   | *                                             |                                                            
384x       | 212.164.65.28   ()   | https://otx.alienvault.com/indicator/ip/212.164.65.28   | *                                             |                                                            
153x       | 112.22.233.163  ()   | https://otx.alienvault.com/indicator/ip/112.22.233.163  | *                                             |                                                            
123x       | 85.143.112.35   ()   | https://otx.alienvault.com/indicator/ip/85.143.112.35   | *                                             |                                                            
116x       | 95.104.209.255  ()   | https://otx.alienvault.com/indicator/ip/95.104.209.255  | *                                             |                                                            
111x       | 77.37.158.82    ()   | https://otx.alienvault.com/indicator/ip/77.37.158.82    | *                                             |                                                            
109x       | 178.46.83.125   ()   | https://otx.alienvault.com/indicator/ip/178.46.83.125   | *                                             |                                                            
88x        | 78.138.130.187  ()   | https://otx.alienvault.com/indicator/ip/78.138.130.187  | *                                             |                                                            
85x        | 124.78.32.36    ()   | https://otx.alienvault.com/indicator/ip/124.78.32.36    | *                                             |                                                            
81x        | 212.12.18.9     ()   | https://otx.alienvault.com/indicator/ip/212.12.18.9     | *                                             |

 

[Marin]

Thanks, I've pushed v6.8.4 with a fix.

Fix banmalware not removing stale entries with new comment format

@Adamm - Would you consider giving IOT Blocking and the other options under the Settings section a different color when they are DISABLED so they are not easily missed when reviewing their current status? Currently, both enabled and disabled stats are showing with same green color. Just a thought.

Select Setting To Toggle:

[1] --> Autoupdate | [Enabled]

[2] --> Banmalware | [daily]

[3] --> Debug Mode | [Enabled]

[4] --> Filter Traffic | [all]

[5] --> Unban PrivateIP | [Enabled]

[6] --> Log Invalid Packets | [Enabled]

[7] --> Ban AiProtect | [Enabled]

[8] --> Secure Mode | [Enabled]

[9] --> Fast Switch | [Disabled]

[10] --> Syslog Location | [Default]

[11] --> IOT Blocking | [Disabled]

[12] --> Stats Country Lookup | [Enabled]

Thank you!

 

[Adamm]

Strangely stopped reporting the country an IP address was from when running stats.

The only reasons I can think of are you either had internet connectivity issues or hit the API lookup amount.

@Adamm - Would you consider giving IOT Blocking and the other options under the Settings section a different color when they are DISABLED so they are not easily missed when reviewing their current status? Currently, both enabled and disabled stats are showing with same green color. Just a thought.

My logic behind the colour scheme is something like

Green = Recommended Setting/Enabled
Yellow = Disabled but is optional
Red = Disabled and will affect functionality

With that being said, some options are obscure and making them red may confuse users like they need to enable these features.

 

[Marin]

The only reasons I can think of are you either had internet connectivity issues or hit the API lookup amount.



My logic behind the colour scheme is something like

Green = Recommended Setting/Enabled
Yellow = Disabled but is optional
Red = Disabled and will affect functionality

With that being said, some options are obscure and making them red may confuse users like they need to enable these features.

Ok, I see your point. Thanks for clarifying!

 

[XIII]

Got this when I was lazy and tried to (remotely, via SSH) remove an entry using the comment instead of the exact IP:

[i] Removing All Entries With Comment Matching "ac68u" From Whitelist
packet_write_wait: Connection to <IP ADDRESS> port 22: Broken pipe

I can now no longer SSH into the router. OpenVPN also does no longer work.

Probably the router is useless now, until I return home and reboot it?

 

[EmeraldDeer]

The unblock instructions work great, and I unblocked motherjones also. Now I am just wondering how to decipher the AlienVault result, it says the IP (192.0.66.2) is "Not identified as malicious", but I don't see anything on why it was on the blocklist, am I missing it?

AlienVault has "Not identified as malicious" by "GOOGLE SAFE BROWSING".

Skynet has Blacklist Reason; "BanMalware: taichung.ipset".
https://github.com/firehol/blocklist-ipsets/blob/master/taichung.ipset
https://www.tc.edu.tw/net/netflow/lkout/recent/30 takes a while to load and is in Chinese

 

[TonyK132]

Hi Adamm - I found that Blarney.com was blocked, so I whitelisted it, thinking that the whole domain would be whitelisted , but email.Blarney.com was still being blocked. I had to put in another entry just for that address. Shouldn't Blarney.com have covered both cases?

 

[DonnyJohnny]

Hi Adamm - I found that Blarney.com was blocked, so I whitelisted it, thinking that the whole domain would be whitelisted , but email.Blarney.com was still being blocked. I had to put in another entry just for that address. Shouldn't Blarney.com have covered both cases?

Skynet block by ip or ip range. By submitting domain for whitelist, skynet will make a query for the ip used for that particular domain.
In your case, likely is it is due to domain are using different ip.
Skynet pull list from reputable source ( http://iplists.firehol.org/). If you have issue with the list, you should get back to the source. Alternatively, you have to whitelist as and when like what you are already doing.
Meanwhile, skynet don’t support wildcard eg. “*.blarney.com”.

 

[keef]

Hello Adamm. I was looking at the security tests on http://www.shieldtest.com/ I failed the Malware test. Have you seen the test and is this the result I should expect since Skynet is not an active blocking program? Or have I misunderstood this?

as an FYI to all, with all the TrendMicro AiProtection options enabled I failed miserably on the tests. Notably a failure on DDOS and Intrusion Prevention System

thanks, Bj