Skynet Skynet - Router Firewall & Security Enhancements

[dave14305]

Having an issue with the new version not starting after a firewall restart. Seems maybe a leftover debugmode reference. This is the output of running

sh -x /jffs/scripts/firewall start skynetloc=/tmp/mnt/apps/skynet

Spoiler

+ export PATH=/sbin:/bin:/usr/sbin:/usr/bin/opt/bin:/opt/sbin:/bin:/usr/bin:/sbin:/usr/sbin:/home/rtradmin:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin
+ printf \033[?7l
+ clear
+ sed -n 2,14p /jffs/scripts/firewall
#############################################################################################################
# _____ _ _ __ #
# / ____| | | | / / #
# | (___ | | ___ _ _ __ ___| |_ __ __/ /_ #
# \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \ #
# ____) | <| |_| | | | | __/ |_ \ V /| (_) | #
# |_____/|_|\_\\__, |_| |_|\___|\__| \_/ \___/ #
# __/ | #
# |___/ #
# #
## - 01/10/2019 - Asus Firewall Addition By Adamm v6.8.7 #
## https://github.com/Adamm00/IPSet_ASUS #
#############################################################################################################
+ export LC_ALL=C
+ mkdir -p /tmp/skynet/lists
+ ntptimer=0
+ nvram get ntp_ready
+ [ 1 = 0 ]
+ [ 0 -ge 300 ]
+ date +%s
+ stime=1570031120
+ grep -ow skynetloc=.* # Skynet /jffs/scripts/firewall-start
+ awk {print $1}
+ grep -vE ^#
+ cut -c 11-
+ skynetloc=/tmp/mnt/apps/skynet
+ skynetcfg=/tmp/mnt/apps/skynet/skynet.cfg
+ skynetlog=/tmp/mnt/apps/skynet/skynet.log
+ skynetevents=/tmp/mnt/apps/skynet/events.log
+ skynetipset=/tmp/mnt/apps/skynet/skynet.ipset
+ [ -z /tmp/mnt/apps/skynet ]
+ [ ! -d /tmp/mnt/apps/skynet ]
+ nvram get wan0_proto
+ [ dhcp = pppoe ]
+ nvram get wan0_proto
+ [ dhcp = pptp ]
+ nvram get wan0_proto
+ [ dhcp = l2tp ]
+ nvram get wan0_ifname
+ iface=eth0
+ [ -z start ]
+ [ -n ]
+ trap Spinner_End EXIT
+ [ -f /tmp/mnt/apps/skynet/skynet.cfg ]
+ . /tmp/mnt/apps/skynet/skynet.cfg
+ model=RT-AC68U
+ localver=v6.8.6
+ autoupdate=enabled
+ banmalwareupdate=daily
+ forcebanmalwareupdate=
+ logmode=
+ filtertraffic=outbound
+ swaplocation=/tmp/mnt/apps/myswap.swp
+ swappartition=
+ blacklist1count=141530
+ blacklist2count=1669
+ customlisturl=
+ customlist2url=
+ countrylist=
+ excludelists=
+ unbanprivateip=enabled
+ loginvalid=disabled
+ banaiprotect=enabled
+ securemode=enabled
+ extendedstats=enabled
+ fastswitch=disabled
+ syslogloc=/tmp/syslog.log
+ syslog1loc=/tmp/syslog.log-1
+ iotblocked=disabled
+ iotports=
+ iotproto=udp
+ lookupcountry=enabled
+ cdnwhitelist=enabled
+ Display_Header 9
+ printf \n\n=============================================================================================================\n\n\n


=============================================================================================================


+ Check_Lock start skynetloc=/tmp/mnt/apps/skynet
+ [ -f /tmp/skynet.lock ]
+ echo start skynetloc=/tmp/mnt/apps/skynet
+ echo 18528
+ date +%s
+ lockskynet=true
+ echo start skynetloc=/tmp/mnt/apps/skynet
+ sed s~start ~~g
+ logger -st Skynet [%] Startup Initiated... ( skynetloc=/tmp/mnt/apps/skynet )
Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/apps/skynet )
+ Unload_Cron all
+ [ -z all ]
+ cru d Skynet_save
+ cru d Skynet_banmalware
+ cru d Skynet_autoupdate
+ cru d Skynet_checkupdate
+ Check_Settings
+ [ ! -f /tmp/mnt/apps/skynet/skynet.cfg ]
+ [ -z /tmp/syslog.log ]
+ [ -z /tmp/syslog.log-1 ]
+ [ -z disabled ]
+ [ -z udp ]
+ [ -z enabled ]
+ [ -z enabled ]
+ [ -z ]
/jffs/scripts/firewall: line 5143: debugmode: parameter not set or null
+ Spinner_End
+ [ -f /tmp/skynet/spinstart ]

I had to manually edit skynet.cfg because logmode="". I changed it logmode="enabled" and it's starting now.

This may be self-inflicted because I switched from John's fork back to Merlin and restored an older JFFS before the 6.8.7 update, but the USB was the same with a newer cfg file for skynet.

 

[Adamm]

This may be self-inflicted because I switched from John's fork back to Merlin and restored an older JFFS before the 6.8.7 update, but the USB was the same with a newer cfg file for skynet.

Yes that would have caused it due to how the update relies on the old value. Running the install command (or your manual fix) will resolve the issue.

 

[^Tripper^]

Adamm, I've been getting this error since the update;

Select Option:
[1]  --> Update
[2]  --> Change Filter List
[3]  --> Reset Filter List
[4]  --> Exclude Individual Lists
[5]  --> Reset Exclusion List

[1-5]: 1

[$] /jffs/scripts/firewall banmalware

=========================================================================

[i] Downloading filter.list         | [0s]
[i] Refreshing Whitelists           | /jffs/scripts/firewall: line 5143: can't fork/jffs/scripts/firewall: line 5143: can't fork

[3s]
[i] Consolidating Blacklist         | [4s]
[i] Filtering IPv4 Addresses        | [3s]
[i] Filtering IPv4 Ranges           | [0s]
[i] Applying New Blacklist          | [3s]
[i] Refreshing AiProtect Bans       | [0s]
[i] Saving Changes                  | [2s]

[i] For Whitelisting Assistance -
[i] https://www.snbforums.com/threads/release-skynet-router-firewall-security-enhancements.16798/#post-115872

=====================================================================

Any ideas?

 

[Adamm]

Adamm, I've been getting this error since the update;

Cannot fork errors are a firmware issue, but can be solved with a swap file. Make sure yours is working correctly and/or regenerate it, a reboot wouldn't hurt either.

 

[randomName]

Odd, now I'm getting alot of skynet messages about IPs being banned, in my router log

 

[dave14305]

Odd, now I'm getting alot of skynet messages about IPs being banned, in my router log

Banned or [BLOCKED]? That would be the former debugmode, now logmode. If you don't want those, run this command:

sh /jffs/scripts/firewall settings logmode disable

 

[randomName]

Banned or [BLOCKED]? That would be the former debugmode, now logmode. If you don't want those, run this command:

sh /jffs/scripts/firewall settings logmode disable

They are not the same as before: "Skynet: [#] 141273 IPs (+0) -- 1648 Ranges Banned (+0) || 2048 Inbound -- 0 Outbound Connections Blocked! [save] [3s]"

 

[dave14305]

They are not the same as before: "Skynet: [#] 141273 IPs (+0) -- 1648 Ranges Banned (+0) || 2048 Inbound -- 0 Outbound Connections Blocked! [save] [3s]"

Those happen on the hour through cron, or whenever you make changes in Skynet.

 

[randomName]

Those happen on the hour through cron, or whenever you make changes in Skynet.

What's "cron" ?

 

[dave14305]

What's "cron" ?

It's the Unix/Linux task scheduler. You can see the scheduled jobs by running

cru l

 

[andresmorago]

Hello

Today I changed the OpenVPN server listening port to tcp 443.
I’m noticing that skynet is blocking all inbound connections to this port.
Can you please advise on how do I allow incoming connections reach this port ?

thanks

 

[dave14305]

Hello

Today I changed the OpenVPN server listening port to tcp 443.
I’m noticing that skynet is blocking all inbound connections to this port.
Can you please advise on how do I allow incoming connections reach this port ?

thanks

That's a very common port for bad guys to be probing. How did you determine that Skynet is blocking your incoming VPN connection? Is your VPN client on the internet using a known malware IP? Or perhaps your ISP blocks inbound port 443?

Are there any conflicts between your OpenVPN server and any other service on the router (e.g. HTTPS, AiCloud)? Do you see anything else listed on 0.0.0.0:443 besides your OpenVPN server?

netstat -nlp | grep :443

 

[andresmorago]

That's a very common port for bad guys to be probing. How did you determine that Skynet is blocking your incoming VPN connection? Is your VPN client on the internet using a known malware IP? Or perhaps your ISP blocks inbound port 443?

Are there any conflicts between your OpenVPN server and any other service on the router (e.g. HTTPS, AiCloud)? Do you see anything else listed on 0.0.0.0:443 besides your OpenVPN server?

netstat -nlp | grep :443

hi
thanks for the feedback.
skynet log shows port 443 being blocked from several external pingers that i use to scan for open ports. these pingers arent tagged with a malware IP.
isp isnt banning port 443.

Oct  2 22:38:12 RT-AC3100-0548 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:88:53:58:00:01:5c:71:1a:bd:08:00 SRC=120.79.217.127 DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=40 ID=13386 DF PROTO=TCP SPT=51614 DPT=443 SEQ=964701686 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AE756257C0000000001030307)
Oct  2 22:38:12 RT-AC3100-0548 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:88:53:58:00:01:5c:71:1a:bd:08:00 SRC=123.207.145.245 DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=12140 DF PROTO=TCP SPT=42530 DPT=443 SEQ=3541153220 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405900402080ABE65A66C0000000001030307)
Oct  2 22:38:12 RT-AC3100-0548 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:88:53:58:00:01:5c:71:1a:bd:08:00 SRC=221.181.173.20 DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=28061 DF PROTO=TCP SPT=58404 DPT=443 SEQ=929387196 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080ABE2C4AE40000000001030306)
Oct  2 22:38:12 RT-AC3100-0548 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:88:53:58:00:01:5c:71:1a:bd:08:00 SRC=39.106.209.134 DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=40 ID=62941 DF PROTO=TCP SPT=41642 DPT=443 SEQ=4040012279 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AE7564FE80000000001030307)
Oct  2 22:38:12 RT-AC3100-0548 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:88:53:58:00:01:5c:71:1a:bd:08:00 SRC=112.30.130.63 DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=20283 DF PROTO=TCP SPT=45726 DPT=443 SEQ=2629898818 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080AEBF169330000000001030306)
Oct  2 22:38:13 RT-AC3100-0548 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:88:53:58:00:01:5c:71:1a:bd:08:00 SRC=47.96.79.76 DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=9260 DF PROTO=TCP SPT=45946 DPT=443 SEQ=1712125143 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080ABE32DCBC0000000001030307)
Oct  2 22:38:13 RT-AC3100-0548 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:88:53:58:00:01:5c:71:1a:bd:08:00 SRC=47.105.221.174 DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=37771 DF PROTO=TCP SPT=42922 DPT=443 SEQ=3040323744 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AE75646E80000000001030307)
Oct  2 22:38:13 RT-AC3100-0548 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:88:53:58:00:01:5c:71:1a:bd:08:00 SRC=222.186.161.97 DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=508 DF PROTO=TCP SPT=55772 DPT=443 SEQ=440702148 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080ABE44A0FC0000000001030306)
Oct  2 22:38:13 RT-AC3100-0548 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:88:53:58:00:01:5c:71:1a:bd:08:00 SRC=123.206.200.34 DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=44943 DF PROTO=TCP SPT=57348 DPT=443 SEQ=2988120221 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405900402080ABE47C2D00000000001030307)
Oct  2 22:38:13 RT-AC3100-0548 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:88:53:58:00:01:5c:71:1a:bd:08:00 SRC=47.101.65.208 DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=64917 DF PROTO=TCP SPT=40464 DPT=443 SEQ=653644785 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080AE7563A200000000001030307)

when running netstat i see that pixelsrv is indeed internally listening on port 443, which definitely causes trouble. still, im confused on how and why skynet blocks 443 inbound.

pardon my ignorance. i had the impression that port 443 was good for running a openvpn server. should i stick with a more random port?

 

[dave14305]

when running netstat i see that pixelsrv is indeed internally listening on port 443, which definitely causes trouble.

Pixelserv will only be listening on the LAN side, not the WAN side. Should not be a conflict.

still, im confused on how and why skynet blocks 443 inbound.

Skynet will only block incoming traffic based on IP, not ports. It’s just a popular port to scan for bad guys, so it’s showing up in your logs frequently.

The more random the port, I imagine the safer you’ll be. But I don’t use the VPN server so I can’t recommend anything by experience.

 

[Adamm]

when running netstat i see that pixelsrv is indeed internally listening on port 443, which definitely causes trouble. still, im confused on how and why skynet blocks 443 inbound.

As Dave mentioned, Skynet only blocks specific IP's not ports. You can use the stat data to see why an individual IP is blocked and assess the situation accordingly.

sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx

pardon my ignorance. i had the impression that port 443 was good for running a openvpn server. should i stick with a more random port?

You should stick to the default port (1194) for OpenVPN

 

[martinr]

Hello

Today I changed the OpenVPN server listening port to tcp 443.
I’m noticing that skynet is blocking all inbound connections to this port.
Can you please advise on how do I allow incoming connections reach this port ?

thanks

please see elorimer’s solution for using Port 443 for OpenVPN Server when running pixelserv-tls:

https://www.snbforums.com/threads/ab-solution-the-ad-blocking-solution.37511/page-154#post-405500

Without contradicting Adamm’s advice, as for using Port 443 TCP, I have one server set to that for those occasions where a public wifi won’t let me connect to OpenVPN normally. But I have run into the odd wifi where they really have it sewn up and I can’t connect even to 443, at which point I disconnect.

 

[andresmorago]

thanks to all!

skynet was just blocking incoming connections from china (which i have indeed banned).

regarding port 443, i often connect from some public wifi networks which block several higher ports (in my case tcp 50000).

 

[martinr]

........regarding port 443, i often connect from some public wifi networks which block several higher ports (in my case tcp 50000).

On changing ports to add a bit of security, I ran into a problem, so I now stick to ports in the range greater than port 5000 and less than port 32767

https://www.snbforums.com/threads/changing-openvpn-server-port-number-backfires.57116/#post-498181

 

[lakajohn]

Hello all, I am new to Skynet and love this program! I really did not realize how many intrusion attempts on daily use are there on the web, especially using a vpn client. I have a problem that has developed the last 24 hours, Skynet was down when I was to add 2 urls to ban. I rebooted my merlin router rt-ac86u and started Skynet to find this message:
[*] Lock File Detected (start skynetloc=/tmp/mnt/86u/skynet) (pi=6981)
[*] Locked Processes Generally Take 1-2 Minutes to Complete And May Result in Temporarily "Failed" Tests

IPTables Rules | [Failed]

Does anyone have a suggestion on what I can do to correct this failure?
Thanks for any help

 

[Adamm]

Does anyone have a suggestion on what I can do to correct this failure?
Thanks for any help

Whats the output of;

sh /jffs/scripts/firewall debug info