Skynet Skynet - Router Firewall & Security Enhancements

[CaptainSTX]

Once again, I have uninstalled Skynet completely. Made sure that the Skynet installation directory has been deleted. Rebooted the router, and then installed Skynet via the AMTM menu. Also creating a new swap file as I chose to delete the old one when I uninstalled Skynet.

To get it finally working on my AC1900P I had to do a factory reset, then format the USB drive, add a swap file then reinstall all the scrips. To make the factory reset a little less painful you can try loading a saved configuration file from before you started with the current updated scripts. If that doesn't work then reset and start from scratch.

 

[JemTheWire]

Thanks. I’m thinking that this is the way to go. I do make configuration/jffs backups on a regular basis and I am sure I have a recent one before I tried the latest version of SkyNet.

These things happen sometimes, obviously something is not quite right, and yet I can’t ‘see’ what. I have spent a lot of time today going round in circles.

I will try a reset tomorrow. Time for bed..,

 

[Carnbroe]

I've manually banned a few IP's since starting using Skynet. Is there a way to export or view them i.e.get a list of what I have added ?

 

[Butterfly Bones]

I've manually banned a few IP's since starting using Skynet. Is there a way to export or view them i.e.get a list of what I have added ?

In the commands in post #2, this I think is what you want. Then redirect to a file or copy/paste.

( sh /jffs/scripts/firewall stats search manualbans ) Search For All Manual Bans

 

[5stringdeath]

I don't want to sound rude but -- is there some way to separate out the talk/troubleshooting for the new features which only run on .15 alpha, which most users won't be using for some time until its release? The thread is becoming a bit convoluted if I'm looking for troubleshooting on release firmware and I see a bunch of solutions that only apply to alphas -- takes a bit of time to sort out which is which.

 

[Adamm]

I don't want to sound rude but -- is there some way to separate out the talk/troubleshooting for the new features which only run on .15 alpha, which most users won't be using for some time until its release? The thread is becoming a bit convoluted if I'm looking for troubleshooting on release firmware and I see a bunch of solutions that only apply to alphas -- takes a bit of time to sort out which is which.

Unfortunately most of the issues haven't even been due to Skynet which has convoluted the conversation, but with the new "debug info" output and all known bugs being patched this should significantly help streamline the process.

 

[martinr]

I don't want to sound rude but -- is there some way to separate out the talk/troubleshooting for the new features which only run on .15 alpha, which most users won't be using for some time until its release? The thread is becoming a bit convoluted if I'm looking for troubleshooting on release firmware and I see a bunch of solutions that only apply to alphas -- takes a bit of time to sort out which is which.

But never have I been so tempted to throw caution to the wind and join the smart fellows and install an alpha version.

 

[L&LD]

For myself, I don't know about the 'smart' attribute!

But the thrill of holding your nose and running off the cliff is imminently enjoyable after you surface from under the water and find that you're actually swimming and breathing again.

Looking forward to Alpha2/Beta1 to climb that cliff again.

 

[martinr]

For myself, I don't know about the 'smart' attribute!

But the thrill of holding your nose and running off the cliff is imminently enjoyable after you surface from under the water and find that you're actually swimming and breathing again.

Looking forward to Alpha2/Beta1 to climb that cliff again.

No-one else using your Internet connection then? My wife: “ What the hell do you mean you are testing firmware on our router?”

 

[Clark Griswald]

@martinr
Jump In
Everything is running stable enough that my Family hasn't noticed any internet issues

 

[Adamm]

But never have I been so tempted to throw caution to the wind and join the smart fellows and install an alpha version.

The alpha is essentially the same as the current stable version, with the addition of the new WebUI stuff. No new GPL merges etc.

 

[L&LD]

The alpha is essentially the same as the current stable version, with the addition of the new WebUI stuff. No new GPL merges etc.

Actually, 384.15 Alpha is on a new GPL vs. anything previously.

(At least for some routers).

 

[L&LD]

No-one else using your Internet connection then? My wife: “ What the hell do you mean you are testing firmware on our router?”

Goes something like this.

Me: Oh-oh! It looks like I'll have to do some important maintenance on the network. I read about something new on the 'net. (See? No lies!). Lol...

Everyone else: This sucks! Well, hurry up already and do it!

Win!

 

[Butterfly Bones]

I have two things in my stats that I cannot figure out which client(s) on my network are trying to contact these and get outbound blocks. I can see internal IPs blocked outbound, but not to what they are attempting to connect. Trying to connect the dots.

Top 20 HTTP(s) Blocks (Outbound);
--------   | --------------       | --------------                                          | --------------                                | ----------------------                                  
| Hits |   | | IP Address |       | | AlienVault |                                          | | Ban Reason |                                | | Associated Domains |                                  
--------   | --------------       | --------------                                          | --------------                                | ----------------------                                  
14x        | 213.186.33.19   (FR) | https://otx.alienvault.com/indicator/ip/213.186.33.19   | BanMalware: dyndns_ponmocup.ipset             | teezfm.com                                              
=============================================================================================================
Top 20 Blocks (Outbound);
--------   | --------------       | --------------                                          | --------------                                | ----------------------                                  
| Hits |   | | IP Address |       | | AlienVault |                                          | | Ban Reason |                                | | Associated Domains |                                  
--------   | --------------       | --------------                                          | --------------                                | ----------------------                                  
48x        | 23.129.64.159   (US) | https://otx.alienvault.com/indicator/ip/23.129.64.159   | BanMalware: blocklist_net_ua.ipset            | pool.ntp.org

Outbound blocked IPs

Top 20 Blocked Devices (Outbound);
--------   | ------------     | ---------------                                             
| Hits |   | | Local IP |     | | Device Name |                                             
--------   | ------------     | ---------------                                             
21x        | 192.168.1.xxx    | wifi iot light
15x        | 192.168.1.xxy    | wifi iot light
14x        | 192.168.1.***    | ethernet computer
12x        | 192.168.1.xxz    | wifi iot light

 

[bluepoint]

I have two things in my stats that I cannot figure out which client(s) on my network are trying to contact these and get outbound blocks. I can see internal IPs blocked outbound, but not to what they are attempting to connect. Trying to connect the dots.

Top 20 HTTP(s) Blocks (Outbound);
--------   | --------------       | --------------                                          | --------------                                | ----------------------                               
| Hits |   | | IP Address |       | | AlienVault |                                          | | Ban Reason |                                | | Associated Domains |                               
--------   | --------------       | --------------                                          | --------------                                | ----------------------                               
14x        | 213.186.33.19   (FR) | https://otx.alienvault.com/indicator/ip/213.186.33.19   | BanMalware: dyndns_ponmocup.ipset             | teezfm.com                                           
=============================================================================================================
Top 20 Blocks (Outbound);
--------   | --------------       | --------------                                          | --------------                                | ----------------------                               
| Hits |   | | IP Address |       | | AlienVault |                                          | | Ban Reason |                                | | Associated Domains |                               
--------   | --------------       | --------------                                          | --------------                                | ----------------------                               
48x        | 23.129.64.159   (US) | https://otx.alienvault.com/indicator/ip/23.129.64.159   | BanMalware: blocklist_net_ua.ipset            | pool.ntp.org

Outbound blocked IPs

Top 20 Blocked Devices (Outbound);
--------   | ------------     | ---------------                                          
| Hits |   | | Local IP |     | | Device Name |                                          
--------   | ------------     | ---------------                                          
21x        | 192.168.1.xxx    | wifi iot light
15x        | 192.168.1.xxy    | wifi iot light
14x        | 192.168.1.***    | ethernet computer
12x        | 192.168.1.xxz    | wifi iot light

If I can guest, which is more likely, all outbound 14x hits came from 192.168.1.***(ethernet computer) and the rest came from the three(3) wifi iot lights 48x(total Hits of three) since they have common brand.

 

[Mutzli]

I have two things in my stats that I cannot figure out which client(s) on my network are trying to contact these and get outbound blocks. I can see internal IPs blocked outbound, but not to what they are attempting to connect. Trying to connect the dots.

Top 20 HTTP(s) Blocks (Outbound);
--------   | --------------       | --------------                                          | --------------                                | ----------------------                                 
| Hits |   | | IP Address |       | | AlienVault |                                          | | Ban Reason |                                | | Associated Domains |                                 
--------   | --------------       | --------------                                          | --------------                                | ----------------------                                 
14x        | 213.186.33.19   (FR) | https://otx.alienvault.com/indicator/ip/213.186.33.19   | BanMalware: dyndns_ponmocup.ipset             | teezfm.com                                             
=============================================================================================================
Top 20 Blocks (Outbound);
--------   | --------------       | --------------                                          | --------------                                | ----------------------                                 
| Hits |   | | IP Address |       | | AlienVault |                                          | | Ban Reason |                                | | Associated Domains |                                 
--------   | --------------       | --------------                                          | --------------                                | ----------------------                                 
48x        | 23.129.64.159   (US) | https://otx.alienvault.com/indicator/ip/23.129.64.159   | BanMalware: blocklist_net_ua.ipset            | pool.ntp.org

Outbound blocked IPs

Top 20 Blocked Devices (Outbound);
--------   | ------------     | ---------------                                            
| Hits |   | | Local IP |     | | Device Name |                                            
--------   | ------------     | ---------------                                            
21x        | 192.168.1.xxx    | wifi iot light
15x        | 192.168.1.xxy    | wifi iot light
14x        | 192.168.1.***    | ethernet computer
12x        | 192.168.1.xxz    | wifi iot light

Most likely the IOT lights are responsible for the requested pool.ntp.org
My Ring cameras send out requests for ntp servers all over the world, very annoying.

 

[Butterfly Bones]

I did add up the totals and made the same guesses, which raises more questions than answers. The lights are all TP-Link, made in China, identical models, purchased as a set, just would expect them to make the same number of inquiries for ntp time, probably my flawed human logic. Plus I have the AC86U set to intercept all ntp requests, my understanding this stops even hard wired device requests. My Sony TV no longer succeeds in ntp requests, I no longer see those with the ntp server intercept introduced by RMerlin a few releases back.

If the other one baffles me some, I know it is part of a French ASN. Google search shows -

Teez.fm  https://teezfm.com
TEEZ' is your French indie/pop/electro web radio station. 
It's the place for the best new music around the world. 
Listen to TEEZ' on desktop and mobile!

Not my kind of music.

 

[juched]

I did add up the totals and made the same guesses, which raises more questions than answers. The lights are all TP-Link, made in China, identical models, purchased as a set, just would expect them to make the same number of inquiries for ntp time, probably my flawed human logic. Plus I have the AC86U set to intercept all ntp requests, my understanding this stops even hard wired device requests. My Sony TV no longer succeeds in ntp requests, I no longer see those with the ntp server intercept introduced by RMerlin a few releases back.

If the other one baffles me some, I know it is part of a French ASN. Google search shows -

Teez.fm  https://teezfm.com
TEEZ' is your French indie/pop/electro web radio station. 
It's the place for the best new music around the world. 
Listen to TEEZ' on desktop and mobile!

Not my kind of music.

When you hit the NTP pool as I understand it picks one in your area randomly based on IP location detection. Likely they are sometimes picking ones which are also co-hosting malware etc. That would explain why the numbers are different due to the randomness of the pool selection.

Just a guess.

 

[Butterfly Bones]

When you hit the NTP pool as I understand it picks one in your area randomly based on IP location detection. Likely they are sometimes picking ones which are also co-hosting malware etc. That would explain why the numbers are different due to the randomness of the pool selection.

Just a guess.

Ok, the servers I use are time.cloudflare.com and time.nist.com no pool.ntp.org anything. So are you saying the ntp intercept feature is not working or that my two chosen time servers are not working? That particular pool.ntp.org IP being hit 48x does not seem too random to me.

Not sure that those use multicast to pool.ntp.org. I've read extensively on the NTP system linked off the Admin - System page where time servers options are set.

 

[EmeraldDeer]

I have two things in my stats that I cannot figure out which client(s) on my network are trying to contact these and get outbound blocks. I can see internal IPs blocked outbound, but not to what they are attempting to connect. Trying to connect the dots.

Top 20 HTTP(s) Blocks (Outbound);
--------   | --------------       | --------------                                          | --------------                                | ----------------------                                
| Hits |   | | IP Address |       | | AlienVault |                                          | | Ban Reason |                                | | Associated Domains |                                
--------   | --------------       | --------------                                          | --------------                                | ----------------------                                
14x        | 213.186.33.19   (FR) | https://otx.alienvault.com/indicator/ip/213.186.33.19   | BanMalware: dyndns_ponmocup.ipset             | teezfm.com                                            
=============================================================================================================
Top 20 Blocks (Outbound);
--------   | --------------       | --------------                                          | --------------                                | ----------------------                                
| Hits |   | | IP Address |       | | AlienVault |                                          | | Ban Reason |                                | | Associated Domains |                                
--------   | --------------       | --------------                                          | --------------                                | ----------------------                                
48x        | 23.129.64.159   (US) | https://otx.alienvault.com/indicator/ip/23.129.64.159   | BanMalware: blocklist_net_ua.ipset            | pool.ntp.org

Outbound blocked IPs

Top 20 Blocked Devices (Outbound);
--------   | ------------     | ---------------                                           
| Hits |   | | Local IP |     | | Device Name |                                           
--------   | ------------     | ---------------                                           
21x        | 192.168.1.xxx    | wifi iot light
15x        | 192.168.1.xxy    | wifi iot light
14x        | 192.168.1.***    | ethernet computer
12x        | 192.168.1.xxz    | wifi iot light

I take it that grep OUTBOUND of skynet.log does not answer this either because you are not logging or that it happened too long ago.

I forward all of my syslogd traffic to a Cygwin syslogd on my Windows computer where I keep months of history.