Skynet Skynet - Router Firewall & Security Enhancements

[Makaveli]

Because before the kernel panic occurred, the router/skynet was blocking a fairly high amount of IPs (50-100 IPs every two seconds) and it seems that either skynet or the RT-AC86U just isn't designed to handle this flood of blocked IPs.

how many countries do you have blocked? I don't think I've ever seen that many blocks in the span of a couple seconds.

 

[ivi]

Hi All

I'am a newbie with using scripts and looking for an answer.
Direct question, what is the biggest difference between diversion and skynet?
I installed diversion and I thought, what can I better do with skynet?
Please excuse if my question is low thoughts or hurting the soul of the skynet fellows.

But, could anybody explain it to a newbie please?
Is it, because skynet is a firewall and is looking for inbound blocking and diversion is more for outbound blocking...something like that?
Thanks a lot and have a great summer!

Greetings ivi

 

[dave14305]

Hi All

I'am a newbie with using scripts and looking for an answer.
Direct question, what is the biggest difference between diversion and skynet?
I installed diversion and I thought, what can I better do with skynet?
Please excuse if my question is low thoughts or hurting the soul of the skynet fellows.

But, could anybody explain it to a newbie please?
Is it, because skynet is a firewall and is looking for inbound blocking and diversion is more for outbound blocking...something like that?
Thanks a lot and have a great summer!

Greetings ivi

My own beliefs:

Diversion: protects you from ads on your home network
SkyNet: protects you from malware and known hackers (inbound and outbound)

 

[L&LD]

Hi All

I'am a newbie with using scripts and looking for an answer.
Direct question, what is the biggest difference between diversion and skynet?
I installed diversion and I thought, what can I better do with skynet?
Please excuse if my question is low thoughts or hurting the soul of the skynet fellows.

But, could anybody explain it to a newbie please?
Is it, because skynet is a firewall and is looking for inbound blocking and diversion is more for outbound blocking...something like that?
Thanks a lot and have a great summer!

Greetings ivi

Welcome.

I consider Skynet a beefier version of AiProtection. Diversion is a network-based, Ad-blocking solution. You want both.

If you haven't seen it already, the amtm Step-by-Step guide will help you get both running properly and fully on a supported RMerlin powered Asus router by using a properly formatted USB drive and swap file too.

amtm Step-by-Step https://www.snbforums.com/threads/amtm-step-by-step-install-guide-l-ld.56237/#post-483421

You may also find some use of my other guides by following the link in my signature below.

 

[Adamm]

Hi All

I'am a newbie with using scripts and looking for an answer.
Direct question, what is the biggest difference between diversion and skynet?
I installed diversion and I thought, what can I better do with skynet?
Please excuse if my question is low thoughts or hurting the soul of the skynet fellows.

But, could anybody explain it to a newbie please?
Is it, because skynet is a firewall and is looking for inbound blocking and diversion is more for outbound blocking...something like that?
Thanks a lot and have a great summer!

Greetings ivi

Diversion blocks domains, Skynet blocks IP's.

 

[ivi]

@Adamm, L&LD and Dave14305

Thank you guys for the direct, clear and fast answer!
Yes, I use amtm for easier access of all scripts... .now I have a clear picture of the different skills .

Have a nice evening !
Greetings ivi

 

[SomeWhereOverTheRainBow]

Questionable security issue

pptpd[28115]: CTRL: Client 139.162.102.46 control connection started
pptpd[28115]: CTRL: EOF or bad error reading ctrl packet length.
pptpd[28115]: CTRL: couldn't read packet header (exit)
pptpd[28115]: CTRL: CTRL read failed
pptpd[28115]: CTRL: Reaping child PPP[0]
pptpd[28115]: CTRL: Client 139.162.102.46 control connection finished
pptpd[2954]: CTRL: Client 185.232.67.13 control connection started
pptpd[2954]: CTRL: Starting call (launching pppd, opening GRE)
pptp[2955]: Plugin pptp.so loaded.
pptp[2955]: PPTP plugin version 0.8.5 compiled for pppd-2.4.7, linux-2.6.36.4
pptp[2955]: pppd 2.4.7 started by Sam_Network, uid 0
pptp[2955]: Using interface pptp0
pptp[2955]: Connect: pptp0 <--> pptp (185.232.67.13)
pptp[2955]: appear to have received our own echo-reply!
pptp[2955]: No CHAP secret found for authenticating 1
pptp[2955]: Peer 1 failed CHAP authentication
pptpd[2954]: CTRL: EOF or bad error reading ctrl packet length.
pptpd[2954]: CTRL: couldn't read packet header (exit)
pptpd[2954]: CTRL: CTRL read failed
pptpd[2954]: CTRL: Reaping child PPP[2955]
pptpd[2954]: CTRL: Client pppd TERM sending
pptpd[2954]: CTRL: Client pppd finish wait
pptp[2955]: Terminating on signal 15
pptpd[2974]: CTRL: Client 185.232.67.13 control connection started
pptpd[2974]: CTRL: failed to connect PPTP socket (Operation already in progress)
pptpd[2974]: CTRL: Reaping child PPP[0]
pptpd[2974]: CTRL: Client 185.232.67.13 control connection finished
pptpd[2977]: CTRL: Client 185.232.67.13 control connection started
pptpd[2977]: CTRL: failed to connect PPTP socket (Operation already in progress)
pptpd[2977]: CTRL: Reaping child PPP[0]
pptpd[2977]: CTRL: Client 185.232.67.13 control connection finished
pptp[2955]: Connection terminated.
pptp[2955]: Modem hangup
pptp[2955]: Exit.
pptpd[2954]: CTRL: Client 185.232.67.13 control connection finished
kernel: EMF_ERROR: Interface pptp0 doesn't exist
kernel: EMF_ERROR: Interface pptp0 doesn't exist

I noticed this in my system logs earlier today.

 

[dave14305]

Questionable security issue

pptpd[28115]: CTRL: Client 139.162.102.46 control connection started
pptpd[28115]: CTRL: EOF or bad error reading ctrl packet length.
pptpd[28115]: CTRL: couldn't read packet header (exit)
pptpd[28115]: CTRL: CTRL read failed
pptpd[28115]: CTRL: Reaping child PPP[0]
pptpd[28115]: CTRL: Client 139.162.102.46 control connection finished
pptpd[2954]: CTRL: Client 185.232.67.13 control connection started
pptpd[2954]: CTRL: Starting call (launching pppd, opening GRE)
pptp[2955]: Plugin pptp.so loaded.
pptp[2955]: PPTP plugin version 0.8.5 compiled for pppd-2.4.7, linux-2.6.36.4
pptp[2955]: pppd 2.4.7 started by Sam_Network, uid 0
pptp[2955]: Using interface pptp0
pptp[2955]: Connect: pptp0 <--> pptp (185.232.67.13)
pptp[2955]: appear to have received our own echo-reply!
pptp[2955]: No CHAP secret found for authenticating 1
pptp[2955]: Peer 1 failed CHAP authentication
pptpd[2954]: CTRL: EOF or bad error reading ctrl packet length.
pptpd[2954]: CTRL: couldn't read packet header (exit)
pptpd[2954]: CTRL: CTRL read failed
pptpd[2954]: CTRL: Reaping child PPP[2955]
pptpd[2954]: CTRL: Client pppd TERM sending
pptpd[2954]: CTRL: Client pppd finish wait
pptp[2955]: Terminating on signal 15
pptpd[2974]: CTRL: Client 185.232.67.13 control connection started
pptpd[2974]: CTRL: failed to connect PPTP socket (Operation already in progress)
pptpd[2974]: CTRL: Reaping child PPP[0]
pptpd[2974]: CTRL: Client 185.232.67.13 control connection finished
pptpd[2977]: CTRL: Client 185.232.67.13 control connection started
pptpd[2977]: CTRL: failed to connect PPTP socket (Operation already in progress)
pptpd[2977]: CTRL: Reaping child PPP[0]
pptpd[2977]: CTRL: Client 185.232.67.13 control connection finished
pptp[2955]: Connection terminated.
pptp[2955]: Modem hangup
pptp[2955]: Exit.
pptpd[2954]: CTRL: Client 185.232.67.13 control connection finished
kernel: EMF_ERROR: Interface pptp0 doesn't exist
kernel: EMF_ERROR: Interface pptp0 doesn't exist

I noticed this in my system logs earlier today.

Was SkyNet running and logging anything? Seems like a real problem from Romania.
https://otx.alienvault.com/indicator/ip/185.232.67.13

 

[Butterfly Bones]

Questionable security issue

pptpd[28115]: CTRL: Client 139.162.102.46 control connection started
pptpd[28115]: CTRL: EOF or bad error reading ctrl packet length.
pptpd[28115]: CTRL: couldn't read packet header (exit)
pptpd[28115]: CTRL: CTRL read failed
pptpd[28115]: CTRL: Reaping child PPP[0]
pptpd[28115]: CTRL: Client 139.162.102.46 control connection finished
pptpd[2954]: CTRL: Client 185.232.67.13 control connection started
pptpd[2954]: CTRL: Starting call (launching pppd, opening GRE)
pptp[2955]: Plugin pptp.so loaded.
pptp[2955]: PPTP plugin version 0.8.5 compiled for pppd-2.4.7, linux-2.6.36.4
pptp[2955]: pppd 2.4.7 started by Sam_Network, uid 0
pptp[2955]: Using interface pptp0
pptp[2955]: Connect: pptp0 <--> pptp (185.232.67.13)
pptp[2955]: appear to have received our own echo-reply!
pptp[2955]: No CHAP secret found for authenticating 1
pptp[2955]: Peer 1 failed CHAP authentication
pptpd[2954]: CTRL: EOF or bad error reading ctrl packet length.
pptpd[2954]: CTRL: couldn't read packet header (exit)
pptpd[2954]: CTRL: CTRL read failed
pptpd[2954]: CTRL: Reaping child PPP[2955]
pptpd[2954]: CTRL: Client pppd TERM sending
pptpd[2954]: CTRL: Client pppd finish wait
pptp[2955]: Terminating on signal 15
pptpd[2974]: CTRL: Client 185.232.67.13 control connection started
pptpd[2974]: CTRL: failed to connect PPTP socket (Operation already in progress)
pptpd[2974]: CTRL: Reaping child PPP[0]
pptpd[2974]: CTRL: Client 185.232.67.13 control connection finished
pptpd[2977]: CTRL: Client 185.232.67.13 control connection started
pptpd[2977]: CTRL: failed to connect PPTP socket (Operation already in progress)
pptpd[2977]: CTRL: Reaping child PPP[0]
pptpd[2977]: CTRL: Client 185.232.67.13 control connection finished
pptp[2955]: Connection terminated.
pptp[2955]: Modem hangup
pptp[2955]: Exit.
pptpd[2954]: CTRL: Client 185.232.67.13 control connection finished
kernel: EMF_ERROR: Interface pptp0 doesn't exist
kernel: EMF_ERROR: Interface pptp0 doesn't exist

I noticed this in my system logs earlier today.

Definitely a malicious IP.
https://otx.alienvault.com/indicator/ip/185.232.67.13

If using Skynet lists, it should be blocked.

Exact Matches;
--------------       | ---------                              
| IP Address |       | | List |                              
--------------       | ---------                              
185.232.67.13        | https://iplists.firehol.org/files/alienvault_reputation.ipset
185.232.67.13        | https://iplists.firehol.org/files/bds_atif.ipset
185.232.67.13        | https://iplists.firehol.org/files/firehol_level2.netset
185.232.67.13        | https://iplists.firehol.org/files/normshield_high_attack.ipset
  
Possible CIDR Matches;
--------------       | ---------                              
| IP Address |       | | List |                              
--------------       | ---------                              
185.232.67.0/24      | https://iplists.firehol.org/files/firehol_level3.netset

That is found using this command line as defined in post 1 or 2 of this thread.

/jffs/scripts/firewall stats search malware 185.232.67.13 10

 

[martinr]

Hi All

I'am a newbie with using scripts and looking for an answer.
Direct question, what is the biggest difference between diversion and skynet?
I installed diversion and I thought, what can I better do with skynet?
Please excuse if my question is low thoughts or hurting the soul of the skynet fellows.

But, could anybody explain it to a newbie please?
Is it, because skynet is a firewall and is looking for inbound blocking and diversion is more for outbound blocking...something like that?
Thanks a lot and have a great summer!

Greetings ivi

https://www.snbforums.com/threads/skynet-diversion-questions.56258/#post-483767

 

[SomeWhereOverTheRainBow]

Definitely a malicious IP.
https://otx.alienvault.com/indicator/ip/185.232.67.13

If using Skynet lists, it should be blocked.

Exact Matches;
--------------       | ---------                            
| IP Address |       | | List |                            
--------------       | ---------                            
185.232.67.13        | https://iplists.firehol.org/files/alienvault_reputation.ipset
185.232.67.13        | https://iplists.firehol.org/files/bds_atif.ipset
185.232.67.13        | https://iplists.firehol.org/files/firehol_level2.netset
185.232.67.13        | https://iplists.firehol.org/files/normshield_high_attack.ipset
 
Possible CIDR Matches;
--------------       | ---------                            
| IP Address |       | | List |                            
--------------       | ---------                            
185.232.67.0/24      | https://iplists.firehol.org/files/firehol_level3.netset

That is found using this command line as defined in post 1 or 2 of this thread.

/jffs/scripts/firewall stats search malware 185.232.67.13 10

strange thing is skynet didn't catch it. I went ahead and refreshed skynet and made sure it was uptodate.

 

[dave14305]

strange thing is skynet didn't catch it. I went ahead and refreshed skynet and made sure it was uptodate.

Is SkyNet disabled somehow? I would probably think about nuking your router if you can’t tell what’s really going on. If SkyNet was enabled, it should have stopped this IP cold unless you whitelisted it ever.

 

[SomeWhereOverTheRainBow]

Is SkyNet disabled somehow? I would probably think about nuking your router if you can’t tell what’s really going on. If SkyNet was enabled, it should have stopped this IP cold unless you whitelisted it ever.

some how it was saying enabled, but there was no active blocked domains listed..updating it fixed the issue

 

[SomeWhereOverTheRainBow]

Is SkyNet disabled somehow? I would probably think about nuking your router if you can’t tell what’s really going on. If SkyNet was enabled, it should have stopped this IP cold unless you whitelisted it ever.

Skynet: [#] 1 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [save]
this is what it said.

 

[Butterfly Bones]

Skynet: [#] 1 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [save]
this is what it said.

That happens when the Banmalware Update times out, for whatever reason. Router busy, internet connection times out. I've seen that a couple times. I always make certain that the update runs in the morning when I can check it, just in case.

When the firewall starts or restarts, there is a cron job set, but Skynet sets a random hour and 25 minutes after. I run it at 0625 since I get up around 0600, but manually changing the crontab.

 

[dave14305]

Skynet: [#] 1 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [save]
this is what it said.

But even without SkyNet and it’s raw iptables filtering, why wouldn’t the normal firewall block whatever this connection was? What do you have open to the outside?

 

[SomeWhereOverTheRainBow]

But even without SkyNet and it’s raw iptables filtering, why wouldn’t the normal firewall block whatever this connection was? What do you have open to the outside?

finally able to respond. I do not have any external ports open if that is what you are asking, and no additional firewall rules. This gives me the ability to appreciate and pay more attention to skynet in my logs. It shows what skynet brings to the table.

 

[Jumpstarter]

If i do not configure a Skynet fast switch, and i decide to use my fast switch with diversion, will skynet still protect with the regular default skynet if i do not use a fast switch option for it when connected to the smaller list that is defined for fast switch within diversion?

 

[thelonelycoder]

If i do not configure a Skynet fast switch, and i decide to use my fast switch with diversion, will skynet still protect with the regular default skynet if i do not use a fast switch option for it when connected to the smaller list that is defined for fast switch within diversion?

https://www.snbforums.com/threads/diversion-the-router-ad-blocker.48538/page-159#post-501857

 

[Adamm]

Skynet: [#] 1 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [save]
this is what it said.

This output indicates you only have one IP banned, if you are looking to ban the default lists run the "banmalware" command.