Skynet Skynet - Router Firewall & Security Enhancements

[dev_null]

Here are the countries I have banned based on frequency of hits or figuring nothing good can come from them. af,bg,br,bz,cn,cz,ee,ge,gr,iq,ir,kp,lv,md,mk,ng,nl,pl,ro,ru,ve

I'm apparently even more paranoid than most (145369 IPs -- 42416 Ranges Banned):

ru cn ir iq ua by al af ba az bg cz kp kz kg ly md ng pk rs ro sk ye dz bn bo hr ly ne cs sa sy su br bz ee ge lv mk nl pl ve

 

[Mutzli]

I'm apparently even more paranoid than most (145369 IPs -- 42416 Ranges Banned):

ru cn ir iq ua by al af ba az bg cz kp kz kg ly md ng pk rs ro sk ye dz bn bo hr ly ne cs sa sy su br bz ee ge lv mk nl pl ve

I don't think you're, I have a similar amount of countries blocked:
cn ru sc ua ee ls gr ba bg hr cz ge hu kg lv lt mc kp ro sk vn uz lk br ar cl co pa py uy iq ir jm

 

[Rhialto]

Does it require latest firmware? I don't think so reading nothing about this in first post but if so, is there a firmware check done so people don't break last working version? Just curious as I'm still on 380.68_4

 

[EmeraldDeer]

Yeah I get easily 400 total an hour. I just wonder what have I done to bring this on? Or is this just random stuff? I usually see 250 to 300 and hour. Now like I say about 400 to 500 per hour with an occasional spike. 80% of my blocked traffic is from Russia Federation.

I am seeing less than 100 hits per hour from Russia. It is almost entirely from two IP addresses, one port scanning in the 33000 range and the other in the 34000 range. I do not block by country.

[i] Monitoring From Dec 25 21:00:12 To Dec 26 21:25:13

Top 10 Blocks (Inbound);
--------   | --------------       | --------------                                          | --------------                                | ----------------------
| Hits |   | | IP Address |       | | AlienVault |                                          | | Ban Reason |                                | | Associated Domains |
--------   | --------------       | --------------                                          | --------------                                | ----------------------

1155x      | 45.141.85.3     (RU) | https://otx.alienvault.com/indicator/ip/45.141.85.3     | BanMalware: firehol_level3.netset             |
1117x      | 194.26.69.100   (RU) | https://otx.alienvault.com/indicator/ip/194.26.69.100   | BanMalware: firehol_level3.netset             |
334x       | 148.251.48.231  (DE) | https://otx.alienvault.com/indicator/ip/148.251.48.231  | BanMalware: blocklist_net_ua.ipset            |
92x        | 185.156.73.52   (NL) | https://otx.alienvault.com/indicator/ip/185.156.73.52   | BanMalware: alienvault_reputation.ipset       |
67x        | 92.118.37.58    (RU) | https://otx.alienvault.com/indicator/ip/92.118.37.58    | BanMalware: firehol_level3.netset             |
67x        | 92.118.37.53    (RU) | https://otx.alienvault.com/indicator/ip/92.118.37.53    | BanMalware: firehol_level3.netset             |
64x        | 185.156.73.64   (NL) | https://otx.alienvault.com/indicator/ip/185.156.73.64   | BanMalware: alienvault_reputation.ipset       |
61x        | 185.156.73.66   (NL) | https://otx.alienvault.com/indicator/ip/185.156.73.66   | BanMalware: alienvault_reputation.ipset       |
57x        | 92.118.37.55    (RU) | https://otx.alienvault.com/indicator/ip/92.118.37.55    | BanMalware: firehol_level3.netset             |
53x        | 92.118.37.83    (RU) | https://otx.alienvault.com/indicator/ip/92.118.37.83    | BanMalware: firehol_level3.netset             |


Blacklist Reason;
 "BanMalware: firehol_level3.netset"

[i] IP Location - Russia (UGB Hosting OU / AS206485)

[i] 45.141.85.3 First Tracked On Dec 25 21:03:37
[i] 45.141.85.3 Last Tracked On Dec 26 21:30:53
[i] 1159 Blocks Total

Top 10 Targeted Ports From 45.141.85.3 (Inbound);

--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------

1x         | 33029      | https://www.speedguide.net/port.php?port=33029
1x         | 33022      | https://www.speedguide.net/port.php?port=33022
1x         | 33019      | https://www.speedguide.net/port.php?port=33019
1x         | 33017      | https://www.speedguide.net/port.php?port=33017
1x         | 33016      | https://www.speedguide.net/port.php?port=33016
1x         | 33015      | https://www.speedguide.net/port.php?port=33015
1x         | 33013      | https://www.speedguide.net/port.php?port=33013
1x         | 33010      | https://www.speedguide.net/port.php?port=33010
1x         | 33009      | https://www.speedguide.net/port.php?port=33009
1x         | 33008      | https://www.speedguide.net/port.php?port=33008


Blacklist Reason;
 "BanMalware: firehol_level3.netset"

[i] IP Location - Russia (Undefined / Undefined)

[i] 194.26.69.100 First Tracked On Dec 25 21:01:10
[i] 194.26.69.100 Last Tracked On Dec 26 21:32:26
[i] 1124 Blocks Total

Top 10 Targeted Ports From 194.26.69.100 (Inbound);

--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------

1x         | 34031      | https://www.speedguide.net/port.php?port=34031
1x         | 34030      | https://www.speedguide.net/port.php?port=34030
1x         | 34028      | https://www.speedguide.net/port.php?port=34028
1x         | 34026      | https://www.speedguide.net/port.php?port=34026
1x         | 34024      | https://www.speedguide.net/port.php?port=34024
1x         | 34021      | https://www.speedguide.net/port.php?port=34021
1x         | 34019      | https://www.speedguide.net/port.php?port=34019
1x         | 34018      | https://www.speedguide.net/port.php?port=34018
1x         | 34012      | https://www.speedguide.net/port.php?port=34012
1x         | 34011      | https://www.speedguide.net/port.php?port=34011

 

[SomeWhereOverTheRainBow]

I am seeing less than 100 hits per hour from Russia. It is almost entirely from two IP addresses, one port scanning in the 33000 range and the other in the 34000 range. I do not block by country.

[i] Monitoring From Dec 25 21:00:12 To Dec 26 21:25:13

Top 10 Blocks (Inbound);
--------   | --------------       | --------------                                          | --------------                                | ----------------------
| Hits |   | | IP Address |       | | AlienVault |                                          | | Ban Reason |                                | | Associated Domains |
--------   | --------------       | --------------                                          | --------------                                | ----------------------

1155x      | 45.141.85.3     (RU) | https://otx.alienvault.com/indicator/ip/45.141.85.3     | BanMalware: firehol_level3.netset             |
1117x      | 194.26.69.100   (RU) | https://otx.alienvault.com/indicator/ip/194.26.69.100   | BanMalware: firehol_level3.netset             |
334x       | 148.251.48.231  (DE) | https://otx.alienvault.com/indicator/ip/148.251.48.231  | BanMalware: blocklist_net_ua.ipset            |
92x        | 185.156.73.52   (NL) | https://otx.alienvault.com/indicator/ip/185.156.73.52   | BanMalware: alienvault_reputation.ipset       |
67x        | 92.118.37.58    (RU) | https://otx.alienvault.com/indicator/ip/92.118.37.58    | BanMalware: firehol_level3.netset             |
67x        | 92.118.37.53    (RU) | https://otx.alienvault.com/indicator/ip/92.118.37.53    | BanMalware: firehol_level3.netset             |
64x        | 185.156.73.64   (NL) | https://otx.alienvault.com/indicator/ip/185.156.73.64   | BanMalware: alienvault_reputation.ipset       |
61x        | 185.156.73.66   (NL) | https://otx.alienvault.com/indicator/ip/185.156.73.66   | BanMalware: alienvault_reputation.ipset       |
57x        | 92.118.37.55    (RU) | https://otx.alienvault.com/indicator/ip/92.118.37.55    | BanMalware: firehol_level3.netset             |
53x        | 92.118.37.83    (RU) | https://otx.alienvault.com/indicator/ip/92.118.37.83    | BanMalware: firehol_level3.netset             |


Blacklist Reason;
 "BanMalware: firehol_level3.netset"

[i] IP Location - Russia (UGB Hosting OU / AS206485)

[i] 45.141.85.3 First Tracked On Dec 25 21:03:37
[i] 45.141.85.3 Last Tracked On Dec 26 21:30:53
[i] 1159 Blocks Total

Top 10 Targeted Ports From 45.141.85.3 (Inbound);

--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------

1x         | 33029      | https://www.speedguide.net/port.php?port=33029
1x         | 33022      | https://www.speedguide.net/port.php?port=33022
1x         | 33019      | https://www.speedguide.net/port.php?port=33019
1x         | 33017      | https://www.speedguide.net/port.php?port=33017
1x         | 33016      | https://www.speedguide.net/port.php?port=33016
1x         | 33015      | https://www.speedguide.net/port.php?port=33015
1x         | 33013      | https://www.speedguide.net/port.php?port=33013
1x         | 33010      | https://www.speedguide.net/port.php?port=33010
1x         | 33009      | https://www.speedguide.net/port.php?port=33009
1x         | 33008      | https://www.speedguide.net/port.php?port=33008


Blacklist Reason;
 "BanMalware: firehol_level3.netset"

[i] IP Location - Russia (Undefined / Undefined)

[i] 194.26.69.100 First Tracked On Dec 25 21:01:10
[i] 194.26.69.100 Last Tracked On Dec 26 21:32:26
[i] 1124 Blocks Total

Top 10 Targeted Ports From 194.26.69.100 (Inbound);

--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------

1x         | 34031      | https://www.speedguide.net/port.php?port=34031
1x         | 34030      | https://www.speedguide.net/port.php?port=34030
1x         | 34028      | https://www.speedguide.net/port.php?port=34028
1x         | 34026      | https://www.speedguide.net/port.php?port=34026
1x         | 34024      | https://www.speedguide.net/port.php?port=34024
1x         | 34021      | https://www.speedguide.net/port.php?port=34021
1x         | 34019      | https://www.speedguide.net/port.php?port=34019
1x         | 34018      | https://www.speedguide.net/port.php?port=34018
1x         | 34012      | https://www.speedguide.net/port.php?port=34012
1x         | 34011      | https://www.speedguide.net/port.php?port=34011

how did you get this output lol?

 

[EmeraldDeer]

how did you get this output lol?

The first part is excerpted from the default [13] Stats top 10 report with [11] Settings "Stats Country Lookup" Enabled.

The second and third parts are excerpted from:
firewall stats search ip 45.141.85.3
firewall stats search ip 194.26.69.100

 

[Val D.]

I'm apparently even more paranoid than most (145369 IPs -- 42416 Ranges Banned):

ru cn ir iq ua by al af ba az bg cz kp kz kg ly md ng pk rs ro sk ye dz bn bo hr ly ne cs sa sy su br bz ee ge lv mk nl pl ve

You don't have full access to Internet anymore. There are big data centers providing common Internet resources in some countries you have blocked. You basically limit yourself. As people say, too much of anything is good for nothing.

 

[RMerlin]

There is generally no point in blocking countries on a home connection when all these connection attempts are already dropped by your firewall's default policy (which is DROP). Such blocklists only make sense if you are actually hosting an Internet-facing server (like a website) and wanted to limit access to it.

 

[Dee dee]

Adamm,

Ignore my previous post, Since i updated to version 7 it hasn't happened. I will post debug if it does.

 

[Bamsefar]

There is generally no point in blocking countries on a home connection when all these connection attempts are already dropped by your firewall's default policy (which is DROP). Such blocklists only make sense if you are actually hosting an Internet-facing server (like a website) and wanted to limit access to it.

I may not concur on this. I think there is a reason for blocking countries, and that is if you for example browse the web and hit a webpage that has for example an ad (-provider) which is hosted in a country where one may or may not like/prefer to be connected to.

 

[Jumpstarter]

one dirty way to block a list of domains, (don't recommend it though)

cat "domain.list" | while read -r a; do sh /jffs/scripts/firewall ban domain $a; done

 

[Val D.]

I may not concur on this. I think there is a reason for blocking countries, and that is if you for example browse the web and hit a webpage that has for example an ad (-provider) which is hosted in a country where one may or may not like/prefer to be connected to.

And this is exactly limiting yourself. The entire legitimate website or parts of it may be coming from one of the multiple European countries I see on the block list above.

 

[Bamsefar]

And this is exactly limiting yourself. The entire legitimate website or parts of it may be coming from one of the multiple European countries I see on the block list above.

Well it is a free world after all is it not? That also means that I can decide not to let some countries be acceptable for connection. Which is why I block a lot more than on that rather short list, and you know what, internet works just fine.

 

[dev_null]

You don't have full access to Internet anymore. There are big data centers providing common Internet resources in some countries you have blocked. You basically limit yourself. As people say, too much of anything is good for nothing.

Thanks for the feedback. I've tested the apps and services we use and whitelisted a few that were blocked by the above, but otherwise no issues identified (and the whole family is home for the holidays so I'd be sure to know).

FWIW, over time I've monitored reports for the "least offenders" and dropped a few countries from this list and will continue to do so.

@Adamm, is there a way to output the report to a file (I use the display option usually)?

EDIT: NM. "sh /jffs/scripts/firewall stats 20 > skynet.txt" accomplishes that (tho with a lot of extraneous characters, but still readable). Cheers,

 

[Mutzli]

Does it require latest firmware? I don't think so reading nothing about this in first post but if so, is there a firmware check done so people don't break last working version? Just curious as I'm still on 380.68_4

You do need the latest firmware for Skynet. Skynet will now require at least v384.13 or the latest curl package from Entware.

 

[Adamm]

EDIT: NM. "sh /jffs/scripts/firewall stats 20 > skynet.txt" accomplishes that (tho with a lot of extraneous characters, but still readable). Cheers,

The command was never designed to be visually pleasing when output to a file, but to make it somewhat more readable you can do the following;

sh /jffs/scripts/firewall stats | sed -r 's/'$(echo -e "\033")'\[[0-9]{1,2}(;([0-9]{1,2})?)?[mK]//g' | strings > skynet.txt

 

[martinr]

The command was never designed to be visually pleasing when output to a file, but to make it somewhat more readable you can do the following;

sh /jffs/scripts/firewall stats | sed -r 's/'$(echo -e "\033")'\[[0-9]{1,2}(;([0-9]{1,2})?)?[mK]//g' | strings > skynet.txt

And skynet.txt can be found in the root directory.

i marvel at the amount of knowledge and experience it must take to come up with a line of code like that. I’m sure you regard it as trivial.

 

[Jack Yaz]

The command was never designed to be visually pleasing when output to a file, but to make it somewhat more readable you can do the following;

sh /jffs/scripts/firewall stats | sed -r 's/'$(echo -e "\033")'\[[0-9]{1,2}(;([0-9]{1,2})?)?[mK]//g' | strings > skynet.txt

any objections if i dabble with a uiSkynet similar to the diversion stats, when 384.15 lands?

 

[Rhialto]

You do need the latest firmware for Skynet. Skynet will now require at least v384.13 or the latest curl package from Entware.

Then first post need to reflect this, right @Adamm ? Also, does Skynet check firmware version to avoid installation on older/not supported firmware version?

 

[Adamm]

Then first post need to reflect this, right @Adamm ? Also, does Skynet check firmware version to avoid installation on older/not supported firmware version?

v384.13 or the latest curl package from Entware.

Emphasis on the "or". Skynet will automatically handle this in the background assuming you have entware installed. Although the latest firmware version is generally recommended for the best user experience.