Skynet Skynet - Router Firewall & Security Enhancements

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Adamm

Part of the Furniture
ahh, I load it with amtm, I'm not even sure what to do with above. I guess I'll have to wait.

Not ready for public consumption just yet. This is going to be a big update (which seems to get bigger every day new features are added :p), along with adding support for an upcoming firmware addon API/guidelines. Lots of moving parts to worry about so I want to make sure everything is perfect and thoroughly tested before release.
 

XIII

Very Senior Member
May I suggest you not turn on SSH from WAN, and instead VPN in first :)
Of course, but from what I learned here remote SSH via Dropbear is already a lot safer than remote web GUI (and maybe a bit extra because I use keys instead of passwords for SSH).
 

XIII

Very Senior Member
If they can setup a DDNS name for their WAN IP, you can add that name to your whitelist.
They no longer use an ASUS router, but the one from their ISP instead.

I’m not sure whether it would help, because I believe SkyNet uses the IP address instead of the DNS name when whitelisting.
 

XIII

Very Senior Member
I’m not sure whether it would help, because I believe SkyNet uses the IP address instead of the DNS name when whitelisting.
Worse: I added their current IP to the whitelist, and while it did not change, I got banned again today, when trying to log in remotely from their location.

@Adamm Why does an IP still get banned if it's in the whitelist?

(I'm experimenting with SSH keys, so I'm doing a lot of consecutive logins in a short amount of time)
 

Adamm

Part of the Furniture
Worse: I added their current IP to the whitelist, and while it did not change

Must have changed or you unbanned it rather then whitelisted. Its impossible for the blacklist to take priority over the whitelist.

(I'm experimenting with SSH keys, so I'm doing a lot of consecutive logins in a short amount of time)

Are you using a VPN or do you have SSH exposed to WAN? If the latter, Skynet hijacks the SSH BFD (brute force detection) and will blacklist you if you hit 5 failed attempts in 60 seconds.
 

Adamm

Part of the Furniture
I’m not sure whether it would help, because I believe SkyNet uses the IP address instead of the DNS name when whitelisting.

Correct but Skynet updates these entries every time the Refresh_MWhitelist() function is called (during startup/malware list updates/manual running).
 

Adamm

Part of the Furniture


Here's another 2020 spoiler :eek:


Happy New Year!
 

thelonelycoder

Part of the Furniture
Here's another 2020 spoiler :eek:
Happy New Year!
:cool: You're ahead of all of us. Hope the bush fires don't bother you too much and rain is coming your way soon.
 

Adamm

Part of the Furniture
SSH exposed to WAN, but I did not have 5 failed attempts.

In any case, maybe you accidentally unbanned the IP the first time rather then whitelist it, or they did infact have a dynamic IP. Those are the only two explanations.
 

Jo Sidarta

Occasional Visitor
Hi @Adamm thanks for creating such an awesome script! Just sent a donation to your account.

With the country ban, is there a way to block inbound connection only (from the countries selected)? and not both connections.
Last time I applied a couple of countries, and I was not able to access some websites (most likely because their server is located on the countries I banned).
 

Adamm

Part of the Furniture
Hi @Adamm thanks for creating such an awesome script! Just sent a donation to your account.

Appreciate the generosity.

With the country ban, is there a way to block inbound connection only (from the countries selected)? and not both connections.
Last time I applied a couple of countries, and I was not able to access some websites (most likely because their server is located on the countries I banned).

We do support selective filtering (either inbound/outbound), the issue is to establish a connection both parties must make a "handshake" meaning communication is required from both sides. So with the current IPTables setup it's just not possible to have the best of both worlds.
 

XIII

Very Senior Member
Today I started using NextDNS.io as my DNS over TLS server. This worked fine for a couple of hours, until suddenly domain name resolving completely stopped. It started working again when I temporarily disabled SkyNet and immediately broke again when I re-enabled SkyNet. The strange thing is that there are no SkyNet (debug) logs whatsoever when domain name resolving fails.

Yesterday when I was still using Cloudflare (and Quad9) I also had a lot of domain name resolving issues, but I did not think of disabling SkyNet. Maybe that was related, maybe not.

When there are no debug logs, what can I do to investigate/fix this?

I would like to use both NextDNS and SkyNet at the same time...
 

Adamm

Part of the Furniture
Today I started using NextDNS.io as my DNS over TLS server. This worked fine for a couple of hours, until suddenly domain name resolving completely stopped. It started working again when I temporarily disabled SkyNet and immediately broke again when I re-enabled SkyNet. The strange thing is that there are no SkyNet (debug) logs whatsoever when domain name resolving fails.

Yesterday when I was still using Cloudflare (and Quad9) I also had a lot of domain name resolving issues, but I did not think of disabling SkyNet. Maybe that was related, maybe not.

When there are no debug logs, what can I do to investigate/fix this?

I would like to use both NextDNS and SkyNet at the same time...

With logging enabled, Skynet will always log every block event. There is never an exception to this rule (and for good reason! :p). So if Skynet was the cause, there will be logs.
 

XIII

Very Senior Member
That's what I thought.

Still, so far it only reproduces with SkyNet active - and almost immediately. After disabling SkyNet I also have to restart the dnsmasq service to get DNS working again.

I'm afraid I'll have to run without SkyNet for a while to see that the problem also reproduces without SkyNet.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top