Skynet Skynet - Router Firewall & Security Enhancements

[Marin]

My Skynet did not survive the reboot once again even after updating and applying the web GUI restart/refresh command. Will retry again or reformat my USb drive and reinstall everything to see if that makes a difference.


Sent from my iPhone using Tapatalk

 

[Marin]

It survived the reboot! We are back in business! Thank you @Adamm!

 

[L&LD]

@Marin, was it just an additional reboot needed? Or did you have to nuke the USB drive and the JFFS partition too?

 

[Marin]

@Marin, was it just an additional reboot needed? Or did you have to nuke the USB drive and the JFFS partition too?

Just an additional reboot but it took a little for the tab to appear.

 

[dev_null]

The command was never designed to be visually pleasing when output to a file, but to make it somewhat more readable you can do the following;

sh /jffs/scripts/firewall stats | sed -r 's/'$(echo -e "\033")'\[[0-9]{1,2}(;([0-9]{1,2})?)?[mK]//g' | strings > skynet.txt

While all of this amazing UI work has been rolling out, I was trying to hack together a way to email a Skynet report to myself - a la the Diversion weekly report.

For those interested, it's ugly as heck, but seems to work.

Note: this is run as two CRON jobs: the first creates the report (takes about 10-12 minutes for "top 50") and the second CRON job emails the output file. These are separated by 30-45 minutes to ensure the file is ready. As I said, it's not elegant.

EDIT: UPDATED TO NOW INCLUDE A SUBJECT LINE and Friendly From Name as part of the mime process (cribbed from @thelonelycoder Diversion email communication process in stats.div - thanks to @Adamm for the hint).

1) Create the report as Adamm laid out in his reply to me (above)

Spoiler: Create the report

I set this up as a cron job under services-start (cru a skynet-wkly "22 2 * * SAT sh /jffs/scripts/skynet-stats") to run weekly. Be sure to make it executable.

#!/bin/sh
sh /jffs/scripts/firewall stats 50 | sed -r 's/'$(echo -e "\033")'\[[0-9]{1,2}(;([0-9]{1,2})?)?[mK]//g' | strings > skynet.txt

2) Mime and email the report (so it comes as an attachment; inline is possible but more likely to be considered SP4M due to the number of "links" in the report)

Spoiler: Mime and email

I set this up as a cron job under services-start (cru a skynet-email "45 2 * * SAT sh /jffs/scripts/skynet-email") to run weekly, after the report runs. If it runs too close to the report generation, there are errors. Also - you may need the full path to these files (/home/root) - seems to run fine in my case but YMMV. Be sure that you make this executable.

#!/bin/sh
FROM="Skynet Weekly Stats"
AUTH="[email protected]"
PASS="secret"
TO="[email protected]"
FRIENDLY_ROUTER_NAME="Your Router Name"

makemime skynet.txt
makemime -a"Subject: $FRIENDLY_ROUTER_NAME Router Stats $(date +"%F_%H.%M")" -a"From: $FROM" -o output.msg skynet.txt

cat /home/root/output.msg | sendmail -H"exec openssl s_client -quiet \
-CAfile /jffs/configs/Equifax_Secure_Certificate_Authority.pem \
-connect smtp.gmail.com:587 -tls1 -starttls smtp" \
-f"$FROM" \
-au"$AUTH" -ap"$PASS" $TO

You may need to 'wget' the Equifax PEM file too.

3) Finally, backup the skynet output file and give it a unique filename (save a copy before it is over-written) - this command can be added at the end of either of the scripts above.

Spoiler: Backup and give unique name

 cp -a skynet.txt "/tmp/mnt/path/to/backup/skynet-$(date +"%y-%d-%m").txt"

Unfortunately there is no subject line, and gmail may flag it as SP4M, so you may need to unflag it. Edit - figured the subject line out, see note above.

I tried to figure out how to use the email information already set up with Diversion, but could not, so took the separate email approach.

(I did read most all of the 5000+ posts in this thread but didn't see anything like this posted).

Cheers, (feedback and whatnot welcome!)

 

[QuikSilver]

@Adamm When I hover over the View Details URL link for "Last 10 Unique Connections Blocked (Outbound) (click to expand/collapse)" I see the tooltip as "http://192.168.1.1/user1.asp" and "http://192.168.1.1/US" for second link in same group. Other Alienvault URLs look to be correct. Seems to be the first and second items in the list.

 

[randomName]

Only 1 country can be banned at a time?

 

[Butterfly Bones]

Only 1 country can be banned at a time?

Put them all on one line with a space between at the prompt, just don't try to add one at a time, do them all at once.

 

[Adamm]

Uh, whoopsie!

I have had this ntp server battle intermittently for months. Thought I had whitelised the entire pool.ntp.org domain and solved it - guess not. @XIII this might be something of your issue, seeing your posts on this DNS niggle. @Adamm any comment?

Result of clicking View Details
https://otx.alienvault.com/indicator/ip/23.129.64.159

Looks like its also used as a TOR exit node which is why it was probably blacklisted, but as per usual I don't control the content on these lists so its up to the maintainer weather to remove it or not.

Is there a way we can collapse(default) source ports inbound or even remove from the page as it's really not significant to show as they are random anyway, that's my understanding.

I'll see if we can store the collapsed/open chart preferences as cookies much like we do the chart types. All data is useful data when trying to establish patterns

I created/formatted to NTFS to clear out previous ext2 then deleted partition and did a clean ext2.

I have removed the devices section in paste below...

Router Model; RT-AC1900P
Skynet Version;  (04/01/2020) (261a3ffac493975e67c86db6970e2133)
iptables v1.4.15 - (eth0 @ 192.168.x.x)
ipset v6.32, protocol version: 6
FW Version; 384.14_2 (Dec 31 2019) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/sdc5/skynet (3.0G / 3.7G Space Available)
SWAP File; /tmp/mnt/sdc5/myswap.swp (512.5M)
Uptime; 0 days, 20 hours, 13 minutes.
Ram Available; (181M / 249M)


--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
SWAP                                | [Passed]
Cron Jobs                           | [Failed]
IPSet Comment Support               | [Passed]
Log Level 5 Settings                | [Failed]
Duplicate Rules In RAW              | [Passed]
Inbound Filter Rules                | [Failed]
Inbound Logging Rules               | [Failed]
Outbound Filter Rules               | [Failed]
Outbound Logging Rules              | [Failed]
Whitelist IPSet                     | [Failed]
BlockedRanges IPSet                 | [Failed]
Blacklist IPSet                     | [Failed]
Skynet IPSet                        | [Failed]
Diversion Plus Content              | [Failed]


-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Skynet Auto-Updates                 | [Disabled]
Malware List Auto-Updates           | [Enabled]
Logging                             | [Enabled]
Filter Traffic                      | [Enabled]
Unban PrivateIP                     | [Enabled]
Log Invalid Packets                 | [Disabled]
Ban AiProtect                       | [Enabled]
Secure Mode                         | [Enabled]
Fast Switch List                    | [Disabled]
Syslog Location                     | [Default]
IOT Blocking                        | [Disabled]
Country Lookup For Stats            | [Disabled]
CDN Whitelisting                    | [Enabled]
Display WebUI                       | [Disabled]

7/18 Tests Sucessful

Should I try to format JFFS partition at next boot?

Do you happen to have multiple partitions on your USB? Another user a few days ago had similar issues when trying to use NTFS/ext* partitions on the same USB. I highly suggest just 1x unified ext partition if you want things to work smoothly.

My Skynet did not survive the reboot once again even after updating and applying the web GUI restart/refresh command. Will retry again or reformat my USb drive and reinstall everything to see if that makes a difference.


Sent from my iPhone using Tapatalk

It survived the reboot! We are back in business! Thank you @Adamm!

Do you happen to have one of @Jack Yaz 's ui* scripts installed? As previously stated you will experience some oddities in behavior due to them racing to mount menuTree.js using the old and new methods.

@Adamm When I hover over the View Details URL link for "Last 10 Unique Connections Blocked (Outbound) (click to expand/collapse)" I see the tooltip as "http://192.168.1.1/user1.asp" and "http://192.168.1.1/US" for second link in same group. Other Alienvault URLs look to be correct. Seems to be the first and second items in the list.

Can't reproduce on my end but I'll look into it, mind sending me a copy of your stats.js file located in your skynet install directory.

 

[duceyaj]

I've been having some issues with Skynet not being able to start up properly.

Router Model; RT-AX88U
Skynet Version;  (04/01/2020) (261a3ffac493975e67c86db6970e21)
iptables v1.4.15 - (eth0 @ 192.168.50.1)
ipset v6.32, protocol version: 6
IP Address; (XXX.XXX.XXX.XXX)
FW Version; 384.14_0 (Dec 13 2019) (4.1.51)
Install Dir; /tmp/mnt/yangdrive/skynet (12.0G / 14.2G Space A)

IPTables Rules                      | [Failed]

Here is my debug output

--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
SWAP                                | [Passed]
Cron Jobs                           | [Passed]
IPSet Comment Support               | [Passed]
Log Level 6 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
Inbound Filter Rules                | [Failed]
Inbound Logging Rules               | [Failed]
Outbound Filter Rules               | [Failed]
Outbound Logging Rules              | [Failed]
Whitelist IPSet                     | [Passed]
BlockedRanges IPSet                 | [Passed]
Blacklist IPSet                     | [Passed]
Skynet IPSet                        | [Passed]
Diversion Plus Content              | [Passed]


-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Skynet Auto-Updates                 | [Enabled]
Malware List Auto-Updates           | [Enabled]
Logging                             | [Enabled]
Filter Traffic                      | [Enabled]
Unban PrivateIP                     | [Enabled]
Log Invalid Packets                 | [Disabled]
Ban AiProtect                       | [Enabled]
Secure Mode                         | [Enabled]
Fast Switch List                    | [Disabled]
Syslog Location                     | [Default]
IOT Blocking                        | [Disabled]
Country Lookup For Stats            | [Disabled]
CDN Whitelisting                    | [Enabled]
Display WebUI                       | [Enabled]

14/18 Tests Sucessful


==============================================================


[#] 0 IPs (+0) -- 0 Ranges Banned (+0) ||  Inbound --  Outbou]



[i] Press Enter To Continue...

Sent from my SM-G975U1 using Tapatalk

 

[Adamm]

I've been having some issues with Skynet not being able to start up properly.

Router Model; RT-AX88U
Skynet Version;  (04/01/2020) (261a3ffac493975e67c86db6970e21)
iptables v1.4.15 - (eth0 @ 192.168.50.1)
ipset v6.32, protocol version: 6
IP Address; (XXX.XXX.XXX.XXX)
FW Version; 384.14_0 (Dec 13 2019) (4.1.51)
Install Dir; /tmp/mnt/yangdrive/skynet (12.0G / 14.2G Space A)

IPTables Rules                      | [Failed]

Here is my debug output

--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
SWAP                                | [Passed]
Cron Jobs                           | [Passed]
IPSet Comment Support               | [Passed]
Log Level 6 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
Inbound Filter Rules                | [Failed]
Inbound Logging Rules               | [Failed]
Outbound Filter Rules               | [Failed]
Outbound Logging Rules              | [Failed]
Whitelist IPSet                     | [Passed]
BlockedRanges IPSet                 | [Passed]
Blacklist IPSet                     | [Passed]
Skynet IPSet                        | [Passed]
Diversion Plus Content              | [Passed]


-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Skynet Auto-Updates                 | [Enabled]
Malware List Auto-Updates           | [Enabled]
Logging                             | [Enabled]
Filter Traffic                      | [Enabled]
Unban PrivateIP                     | [Enabled]
Log Invalid Packets                 | [Disabled]
Ban AiProtect                       | [Enabled]
Secure Mode                         | [Enabled]
Fast Switch List                    | [Disabled]
Syslog Location                     | [Default]
IOT Blocking                        | [Disabled]
Country Lookup For Stats            | [Disabled]
CDN Whitelisting                    | [Enabled]
Display WebUI                       | [Enabled]

14/18 Tests Sucessful


==============================================================


[#] 0 IPs (+0) -- 0 Ranges Banned (+0) ||  Inbound --  Outbou]



[i] Press Enter To Continue...

Sent from my SM-G975U1 using Tapatalk

Did you change anything about your setup lately, plus what other scripts do you have installed?

Also what is the output of the following commands;

iptables --line -t raw -vnL

cat /jffs/scripts/firewall-start

Finally have you tried a firewall restart (followed by waiting about 60 seconds);

sh /jffs/scripts/firewall restart

 

[elorimer]

I tried to figure out how to use the email information already set up with Diversion, but could not, so took the separate email approach.

In your script, include two lines: a dot command to pull most of the info from the diversion email.conf command, and then something that extracts the password from the encrypted file.

# Email settings (mail envelope) #
. /opt/share/diversion/.conf/email.conf
PASSWORD=$(openssl aes-256-cbc -d -in /opt/share/diversion/.conf/emailpw.enc -pass pass:ditbabot,isoi)

Actually, it is convenient to have a separate email script that accepts a subject line and text file as parameters to use for any email scripting.

#!/opt/bin/sh
#Parameters passed#
mailsubject=$1
mailbody=$2
# Email settings (mail envelope) #
. /opt/share/diversion/.conf/email.conf
PASSWORD=$(openssl aes-256-cbc -d -in /opt/share/diversion/.conf/emailpw.enc -pass pass:ditbabot,isoi)
#Build email
    echo "From: \"$FRIENDLY_ROUTER_NAME\" <$FROM_ADDRESS>" >/tmp/mail.txt
    echo "To: \"$TO_NAME\" <$TO_ADDRESS>" >>/tmp/mail.txt
    echo "Subject: $mailsubject " >>/tmp/mail.txt
    echo "Date: $(date -R)" >>/tmp/mail.txt
    echo >>/tmp/mail.txt
    echo " $(cat $mailbody)" >>/tmp/mail.txt
 
#Send Email
/usr/sbin/curl --url $PROTOCOL://$SMTP:$PORT \
        --mail-from "$FROM_ADDRESS" --mail-rcpt "$TO_ADDRESS" \
                    --upload-file /tmp/mail.txt \
                    --ssl-reqd \
                    --user "$USERNAME:$PASSWORD" $SSL_FLAG
        
rm /tmp/mail.txt

 

[Milan]

GUI is good, thanks.

 

[SomeWhereOverTheRainBow]

uiskynet appears to be running great! thanks adam!

 

[dev_null]

In your script, include two lines: a dot command to pull most of the info from the diversion email.conf command, and then something that extracts the password from the encrypted file.
<snip>

Actually, it is convenient to have a separate email script that accepts a subject line and text file as parameters to use for any email scripting.
<snip>

Thanks for the reply, I did try that latter script, but when I cat'd the skynet info into the message, gmail kept flagging it as SP4M due to the number of embedded links. So the easiest workaround was to create an attachment. But I could not figure out how to add a subject line using the versions of mime or sendmail included on our routers.

I will try to tweak the script to pull from the diversion credentials so I don't have to have two sets to maintain; I'll update my original post if I sort it out.

Now folks have a couple different approaches!

EDIT: @thelonelycoder - is there any way to have the sendmail command for Diversion attach a second file (skynet report) at the time it emails the weekly report?

 

[5stringdeath]

uiskynet appears to be running great! thanks adam!

Skuinet?

 

[QuikSilver]

Can't reproduce on my end but I'll look into it, mind sending me a copy of your stats.js file located in your skynet install directory.

Check this morning and its showing properly.....

 

[elorimer]

But I could not figure out how to add a subject line using the versions of mime or sendmail included on our routers.

You might look at stats.div for how diversion does it with curl.

 

[Rhialto]

Do you happen to have multiple partitions on your USB? Another user a few days ago had similar issues when trying to use NTFS/ext* partitions on the same USB.

No what I was saying is I made the stick NTFS to make sure to overwrite it all before making it again ext2.

nvram show | grep jffs
size: 59238 bytes (6298 left)
jffs2_on=1
jffs2_enable=1
jffs2_format=0
jffs2_scripts=1
log_path=/jffs

Should I format JFFS partition at next reboot? Maybe @RMerlin can tell me what's stored there. I have manually assigned IPs I would not like to lose. Yet I only run Diversion and uiDivStats.

 

[Adamm]

No what I was saying is I made the stick NTFS to make sure to overwrite it all before making it again ext2.

nvram show | grep jffs
size: 59238 bytes (6298 left)
jffs2_on=1
jffs2_enable=1
jffs2_format=0
jffs2_scripts=1
log_path=/jffs

Should I format JFFS partition at next reboot? Maybe @RMerlin can tell me what's stored there. I have manually assigned IPs I would not like to lose. Yet I only run Diversion and uiDivStats.

Issue is to-do with your USB not JFFS. My suggestion is to nuke it and start over using something like MiniTool Partition Wizard, I'm guessing it wasn't formatted correctly.