Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Here you go:

Everything looks fine, although I am a little confused. You said;

Every time i have to reset the firewall, I seem to lose it and have to re-enter everything manually.

This implies after every restart you are losing your whitelist. The issue is that the whitelist and blacklist are stored in the same file, so I'm unsure to how you are losing just the whitelist. How are you confirming that you are losing data from here?

 

[yk101]

This implies after every restart you are losing your whitelist. The issue is that the whitelist and blacklist are stored in the same file, so I'm unsure to how you are losing just the whitelist. How are you confirming that you are losing data from here?

Not exactly. Periodically, I need to dump all of blacklists (unban) as it is getting nearly impossible to keep up with non-desired blocks. Once that is done, I re-run banmalware and country list, but have no way to restore my "known good" whitelist...

 

[Adamm]

Not exactly. Periodically, I need to dump all of blacklists (unban) as it is getting nearly impossible to keep up with non-desired blocks. Once that is done, I re-run banmalware and country list, but have no way to restore my "known good" whitelist...

The only command which affects your whitelist is;

sh /jffs/scripts/firewall whitelist remove

Which resets it to its "default state". None of the other unban commands affect the whitelist, the only other way to reset it would be deleting ipset.txt etc.

To just clear your blacklists use;

sh /jffs/scripts/firewall unban all

or

sh /jffs/scripts/firewall unban nomanual

The first will unban everything, the second will unban everything but manual bans.

 

[MarCoMLXXV]

Looking further into this, ASUS actually just updated their SSH BFD last month in 380_7627 (this is part of the current Merlin alpha). This new setup only allows 4 attempts every 60 seconds, I've modified this instead and now it will add any offenders directly to the Blacklist.

This feature will only work if you are running Skynet v4.9.10, SSH is set to LAN+WAN, BFD is enabled and you are running Merlin 380.67 (currently in alpha so you will need to update).

Sorry, bit late with a reply (for me at least) due to circumstances, but thanks again for your efforts. BFD will stop them from trying. Skynet will stop them from coming back I'll wait for 380.67 to get out of alpha for the RT-AC68U (so glad I left Netgear, switched to Asuswrt). I'm currently too busy with hospital visits and other related health stuff to try to figure out alpha related issues currently, so I'll (try to) be patient and let @RMerlin do it's magic Nevertheless, thanks for looking into it I'm confident it'll work awesome.

 

[bayern1975]

i lost 1458 IP banned ranges this night....is this normal?

Jun 18 21:00:04 Skynet: [Complete] 131248 IPs / 5174 Ranges Banned. 1 New IPs / 0 New Ranges Banned. 130 Inbound / 120 Outbound Connections Blocked! [4s]
Jun 18 22:00:04 Skynet: [Complete] 131249 IPs / 5174 Ranges Banned. 1 New IPs / 0 New Ranges Banned. 154 Inbound / 120 Outbound Connections Blocked! [4s]
Jun 18 23:00:05 Skynet: [Complete] 131249 IPs / 5174 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 174 Inbound / 120 Outbound Connections Blocked! [5s]
Jun 19 00:00:05 Skynet: [Complete] 131250 IPs / 5174 Ranges Banned. 1 New IPs / 0 New Ranges Banned. 202 Inbound / 120 Outbound Connections Blocked! [5s]
Jun 19 01:00:05 Skynet: [Complete] 131250 IPs / 5174 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 236 Inbound / 120 Outbound Connections Blocked! [5s]
Jun 19 01:25:03 Skynet: [INFO] Lock File Detected (pid=24228) - Exiting
Jun 19 01:25:37 Skynet: [Complete] 130583 IPs / 3716 Ranges Banned. -667 New IPs / -1458 New Ranges Banned. 245 Inbound / 120 Outbound Connections Blocked! [37s]
Jun 19 02:00:05 Skynet: [Complete] 130583 IPs / 3716 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 260 Inbound / 120 Outbound Connections Blocked! [5s]
Jun 19 03:00:05 Skynet: [Complete] 130583 IPs / 3716 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 294 Inbound / 120 Outbound Connections Blocked! [5s]
Jun 19 04:00:05 Skynet: [Complete] 130583 IPs / 3716 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 333 Inbound / 123 Outbound Connections Blocked! [5s]
Jun 19 05:00:05 Skynet: [Complete] 130583 IPs / 3716 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 365 Inbound / 123 Outbound Connections Blocked! [5s]
Jun 19 06:00:05 Skynet: [Complete] 130583 IPs / 3716 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 404 Inbound / 123 Outbound Connections Blocked! [5s]
Jun 19 07:00:05 Skynet: [Complete] 130583 IPs / 3716 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 433 Inbound / 123 Outbound Connections Blocked! [5s]
Jun 19 08:00:05 Skynet: [Complete] 130590 IPs / 3716 Ranges Banned. 7 New IPs / 0 New Ranges Banned. 483 Inbound / 123 Outbound Connections Blocked! [5s]

 

[Adamm]

i lost 1458 IP banned ranges this night....is this normal?

Jun 18 21:00:04 Skynet: [Complete] 131248 IPs / 5174 Ranges Banned. 1 New IPs / 0 New Ranges Banned. 130 Inbound / 120 Outbound Connections Blocked! [4s]
Jun 18 22:00:04 Skynet: [Complete] 131249 IPs / 5174 Ranges Banned. 1 New IPs / 0 New Ranges Banned. 154 Inbound / 120 Outbound Connections Blocked! [4s]
Jun 18 23:00:05 Skynet: [Complete] 131249 IPs / 5174 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 174 Inbound / 120 Outbound Connections Blocked! [5s]
Jun 19 00:00:05 Skynet: [Complete] 131250 IPs / 5174 Ranges Banned. 1 New IPs / 0 New Ranges Banned. 202 Inbound / 120 Outbound Connections Blocked! [5s]
Jun 19 01:00:05 Skynet: [Complete] 131250 IPs / 5174 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 236 Inbound / 120 Outbound Connections Blocked! [5s]
Jun 19 01:25:03 Skynet: [INFO] Lock File Detected (pid=24228) - Exiting
Jun 19 01:25:37 Skynet: [Complete] 130583 IPs / 3716 Ranges Banned. -667 New IPs / -1458 New Ranges Banned. 245 Inbound / 120 Outbound Connections Blocked! [37s]
Jun 19 02:00:05 Skynet: [Complete] 130583 IPs / 3716 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 260 Inbound / 120 Outbound Connections Blocked! [5s]
Jun 19 03:00:05 Skynet: [Complete] 130583 IPs / 3716 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 294 Inbound / 120 Outbound Connections Blocked! [5s]
Jun 19 04:00:05 Skynet: [Complete] 130583 IPs / 3716 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 333 Inbound / 123 Outbound Connections Blocked! [5s]
Jun 19 05:00:05 Skynet: [Complete] 130583 IPs / 3716 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 365 Inbound / 123 Outbound Connections Blocked! [5s]
Jun 19 06:00:05 Skynet: [Complete] 130583 IPs / 3716 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 404 Inbound / 123 Outbound Connections Blocked! [5s]
Jun 19 07:00:05 Skynet: [Complete] 130583 IPs / 3716 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 433 Inbound / 123 Outbound Connections Blocked! [5s]
Jun 19 08:00:05 Skynet: [Complete] 130590 IPs / 3716 Ranges Banned. 7 New IPs / 0 New Ranges Banned. 483 Inbound / 123 Outbound Connections Blocked! [5s]

Yes, this was due to banmalware running on its weekly cron and the lists being refreshed. The numbers fluctuate from day to day.

 

[TheUntouchable]

Dont know what I am doing wrong..

Jun 20 14:00:03 Skynet: [Complete] 130531 IPs / 3716 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 411 Inbound / 28 Outbound Connections Blocked! [3s]

Last 10 Unique Connections Blocked (Outbound);

Top 10 Blocks (Outbound);

 

[Adamm]

Dont know what I am doing wrong..

Jun 20 14:00:03 Skynet: [Complete] 130531 IPs / 3716 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 411 Inbound / 28 Outbound Connections Blocked! [3s]

Last 10 Unique Connections Blocked (Outbound);

Top 10 Blocks (Outbound);

Do you have any hits in the http section? They are considered outbound but I excluded them from those stats as they have their own section.

 

[TheUntouchable]

Yeah I have a lot HTTP blocks, so the outbound blocks could be possibly included there. Dividing them by in and outbound would be to much to display am I right?

 

[Adamm]

Yeah I have a lot HTTP blocks, so the outbound blocks could be possibly included there. Dividing them by in and outbound would be to much to display am I right?

My thought was there's no need to display the same information twice. It's also a lot more common to get a http outbound block over a regular one. So that being said outbound blocks are divided into;

HTTP;
Everything else;

 

[TheUntouchable]

Yeah, I got your point. Perhaps I just have to get little bit more familiar with that two block types as I am now know where the counts are counted

 

[MarCoMLXXV]

@Adamm, when trying to ban an entire domain, by entering:

sh /jffs/scripts/firewall ban roblox.com

The script gives an error:

Command Not Recognised, Please Try Again

I tried www.roblox.com as well, same result.

When running

sh /jffs/scripts/firewall ban

the script asks to enter an IP

For Automated IP Banning Use; ( sh /jffs/scripts/firewall ban IP )
For Automated IP Range Banning Use; ( sh /jffs/scripts/firewall ban range IP )
For Automated Domain Banning Use; ( sh /jffs/scripts/firewall ban domain URL )
For Automated Country Banning Use; ( sh /jffs/scripts/firewall ban country zone )
Input IP To Ban:

I was under the impression that it would resolve the IP-address itself, hence the help text says

##############################
###       Commands         ###
##############################
#         "unban"            # <-- Remove Entry From Blacklist (IP/Range/Domain/Port/Country/Malware/Nomanual/All)
#         "ban"              # <-- Adds Entry To Blacklist (IP/Range/Domain/Port/Country)

Did I misunderstand the instructions in the help text and the examples in the first post, or ... ?

 

[Adamm]

@Adamm, when trying to ban an entire domain, by entering:

sh /jffs/scripts/firewall ban roblox.com

The script gives an error:



I tried www.roblox.com as well, same result.

When running

sh /jffs/scripts/firewall ban

the script asks to enter an IP



I was under the impression that it would resolve the IP-address itself, hence the help text says

##############################
###       Commands         ###
##############################
#         "unban"            # <-- Remove Entry From Blacklist (IP/Range/Domain/Port/Country/Malware/Nomanual/All)
#         "ban"              # <-- Adds Entry To Blacklist (IP/Range/Domain/Port/Country)

Did I misunderstand the instructions in the help text and the examples in the first post, or ... ?

Yes, if you look at the example section the command is "ban domain xxx.com". The regular ban command only accepts IP input

 

[MarCoMLXXV]

Ah, thanks a bunch. And so quick to reply again, awesome. Wasn't aware that the options between the brackets actually have to be litterally before the domain. Must have read to quickly through the examples, sorry for that. Probably another reason to go to bed instead of altering the firewall settings at 01:15 AM, because my beloved kiddo once again has the guts the challenge the networking skills of his dad (with help of @Adamm)

Can't wait to see his face in seven hours or so...

Skynet: [INFO] Adding roblox.com To Blacklist...
Banning 192.168.1.2
Saving Changes
Skynet: [Complete] 130340 IPs / 3716 Ranges Banned. 1 New IPs / 0 New Ranges Banned. 321 Inbound / 3270 Outbound Connections Blocked! [5s]

 

[dvohwinkel]

What is an outbound block and what would be example of them? Is it something on my intranet that is trying to get out and is being blocked?

Example from "stats"
Top 10 Blocks (Outbound);

Skynet: [Complete] 126560 IPs / 3351 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 306 Inbound / 706 Outbound Connections Blocked! [9s]
admin@RT-AC68U-C818:/jffs/scripts#


It says 706 outbound connections blocked. I'm trying to understand what they are.

 

[Adamm]

What is an outbound block and what would be example of them? Is it something on my intranet that is trying to get out and is being blocked?

Example from "stats"
Top 10 Blocks (Outbound);

Skynet: [Complete] 126560 IPs / 3351 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 306 Inbound / 706 Outbound Connections Blocked! [9s]
admin@RT-AC68U-C818:/jffs/scripts#


It says 706 outbound connections blocked. I'm trying to understand what they are.

A connection sourcing from your computer, this usually is a http request or a local application of sorts. You can use the stats command to further investigate what exactly is being blocked and why.

 

[HardCat]

@Adamm Just wondering if it would be possible to add to the "start" command another entry for DNS.

Reason I ask is I have found myself having to add manually to the Whitelist the DNS servers returned by my ISP. I have "Advanced Settings/WAN/Connect to DNS server automatically" set to "Yes" and AFAIK "start" is whitelisting based on the DNS entries being set manually. The current "nvram get wan_dns1_x" and "nvram get wan_dns2_x" are blank in my case so nothing gets Whitelisted.

nvram get wan0_dns

shows both current DNS IP's

xxx.xxx.xxx.xxx    xxx.xxx.xxx.xxx

This would Whitelist the correct DNS servers in my case.

Thanks.

 

[Adamm]

@Adamm Just wondering if it would be possible to add to the "start" command another entry for DNS.

Reason I ask is I have found myself having to add manually to the Whitelist the DNS servers returned by my ISP. I have "Advanced Settings/WAN/Connect to DNS server automatically" set to "Yes" and AFAIK "start" is whitelisting based on the DNS entries being set manually. The current "nvram get wan_dns1_x" and "nvram get wan_dns2_x" are blank in my case so nothing gets Whitelisted.

nvram get wan0_dns

shows both current DNS IP's

xxx.xxx.xxx.xxx    xxx.xxx.xxx.xxx

This would Whitelist the correct DNS servers in my case.

Thanks.

Can you please do the following to see if theres any other common values;

nvram show | grep DNSIP

 

[HardCat]

Can you please do the following to see if theres any other common values;

nvram show | grep DNSIP

I do not get any output from that command...

admin@RT-AC3100:/tmp/home/root# nvram show | grep DNSIP
size: 64157 bytes (66915 left)
admin@RT-AC3100:/tmp/home/root#

 

[Adamm]

I do not get any output from that command...

admin@RT-AC3100:/tmp/home/root# nvram show | grep DNSIP
size: 64157 bytes (66915 left)
admin@RT-AC3100:/tmp/home/root#

Sorry, by DNSIP I was implying each of the DNS IP's from the previous value.