Skynet Skynet - Router Firewall & Security Enhancements

[Butterfly Bones]

On the "blocking countries" subject. I dopped the four I had after reading this statement by RMerlin.
https://www.snbforums.com/threads/r...urity-enhancements.16798/page-273#post-535861

There is generally no point in blocking countries on a home connection when all these connection attempts are already dropped by your firewall's default policy (which is DROP). Such blocklists only make sense if you are actually hosting an Internet-facing server (like a website) and wanted to limit access to it.

 

[Makaveli]

On the "blocking countries" subject. I dopped the four I had after reading this statement by RMerlin.
https://www.snbforums.com/threads/r...urity-enhancements.16798/page-273#post-535861

Ditto.

 

[dave14305]

On the "blocking countries" subject. I dopped the four I had after reading this statement by RMerlin.
https://www.snbforums.com/threads/r...urity-enhancements.16798/page-273#post-535861

I've always debated with myself (and never won) whether it is necessary for me to have Skynet block incoming traffic since I have no open ports on the WAN side, not even a VPN server. But as soon as I would open something up, I would want Skynet blocking known bad IPs from accessing that potentially vulnerable port.

 

[Makaveli]

I've always debated with myself (and never won) whether it is necessary for me to have Skynet block incoming traffic since I have no open ports on the WAN side, not even a VPN server. But as soon as I would open something up, I would want Skynet blocking known bad IPs from accessing that potentially vulnerable port.

If I ever decide to use the VPN server on the router that is also something I would consider good point.

 

[dev_null]

If I ever decide to use the VPN server on the router that is also something I would consider good point.

I do have an OVPN connection (I should have added that as context) but I also consider country-level blocking a "belt and suspenders" approach: in the event a new vulnerability is identified, those countries on my blacklist won't have a chance to execute it against me (providing it is not a vulnerability in IP tables, I suppose).

And I like to see the reports from Skynet on where such attempts are coming from. The routers for which I'm responsible (self, parents, nephews) email them to me a couple times a week (recognizing that only those I actually block show up and that there are many, many more that are rejected by the firewall).

 

[Ubimo]

I just updated to 384.15 and re-installed skynet with logging on.
I now see a lot of these entries in syslog:

Feb 12 17:09:39 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=198.20.103.244 DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=29993 PROTO=TCP SPT=35414 DPT=110 SEQ=3009704574 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0

Usually, these entries got removed automatically when Skynet was started.
How can I remove these entries from syslog, but I don't want to lose logging in the new GUI AsusWRT Merlin FW.

 

[EmeraldDeer]

I just updated to 384.15 and re-installed skynet with loggin on.
I now see a lot of these entries in syslog:
Feb 12 17:09:39 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=198.20.103.244 DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=29993 PROTO=TCP SPT=35414 DPT=110 SEQ=3009704574 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Usually, these entries got removed automatically when Skynet was started.
How can I remove these entries, but I don't want to lose logging in the new GUI AsusWRT Merlin FW.

Skynet moves these entries at the top of the hour.

I forward the router's syslog to a cygwin syslog-ng daemon on Windows.

I have months of router syslog entries except, of course, when the router has not booted up enough to forward.

 

[Mutzli]

I just updated to 384.15 and re-installed skynet with logging on.
I now see a lot of these entries in syslog:

Usually, these entries got removed automatically when Skynet was started.
How can I remove these entries from syslog, but I don't want to lose logging in the new GUI AsusWRT Merlin FW.

Check out Scribe
https://www.snbforums.com/threads/uiscribe-custom-system-log-page-for-scribed-logs.57040

 

[Makaveli]

I need to look into this as its would be useful to keep the logs for extended periods of time

 

[Ubimo]

Thanks, but I don't want to see all the "BLOCKED" entries in syslog.
I do want so see the statistics in the new GUI.

I guess when I deactivate logging in skynet I will lose the beautiful statistics?

 

[EmeraldDeer]

Thanks, but I don't want to see all the "BLOCKED" entries in syslog.
I do want so see the statistics in the new GUI.

I guess when I deactivate logging in skynet I will lose the beautiful statistics?

So you are not willing to wait until the top of the hour for Skynet to move the BLOCKED entries out of syslog?

 

[Adamm]

Thanks, but I don't want to see all the "BLOCKED" entries in syslog.
I do want so see the statistics in the new GUI.

I guess when I deactivate logging in skynet I will lose the beautiful statistics?

Correct, you can't have one without the other.

 

[Rhialto]

3. Would a USB 3.0 drive have any performance benefit?

I don't think so... and USB3.0 on some router can cause interference, some have an option to turn off high speed to avoid this.

On mine I have both USB2 and USB3 ports, I use USB2.

 

[Rhialto]

Would it be possible to add links in the charts so for example, a click on a port number could open the page we see when in terminal mode as to why it's a targeted port: https://www.speedguide.net/port.php?port=1433

 

[Makaveli]

Best recommendation I have seen from those who write scripts we use is to make swap same size as router memory capacity. That covers all scenarios, install, processing, multiple scripts running at once, etc.


My AC86U has 512 MB, that is the size swap file I run. After ~ five days uptime:

usr_name@RT-AC86U-4608:/tmp/home/root# free

             total       used       free     shared    buffers     cached
Mem:        440420     410228      30192        400      30928      64604
-/+ buffers/cache:     314696     125724
Swap:       524284      16956     507328

i'm at 3 days 6 hours up and this is what I see

ASUSWRT-Merlin RT-AX88U 384.15_0 Sat Feb  8 18:41:37 UTC 2020
usr_name@RT-AX88U-0B10:/tmp/home/root# free
             total       used       free     shared    buffers     cached
Mem:        903572     550516     353056       2112      33820     122656
-/+ buffers/cache:     394040     509532
Swap:       524284          0     524284

 

[SomeWhereOverTheRainBow]

i'm at 3 days 6 hours up and this is what I see

ASUSWRT-Merlin RT-AX88U 384.15_0 Sat Feb  8 18:41:37 UTC 2020
usr_name@RT-AX88U-0B10:/tmp/home/root# free
             total       used       free     shared    buffers     cached
Mem:        903572     550516     353056       2112      33820     122656
-/+ buffers/cache:     394040     509532
Swap:       524284          0     524284

/tmp/home/root# free
             total       used       free     shared    buffers     cached
Mem:        515184     459536      55648          0       1820      20608
-/+ buffers/cache:     437108      78076
Swap:      2097148      35832    2061316

this is what i see....

 

[Guido Medina]

i'm at 3 days 6 hours up and this is what I see

ASUSWRT-Merlin RT-AX88U 384.15_0 Sat Feb  8 18:41:37 UTC 2020
usr_name@RT-AX88U-0B10:/tmp/home/root# free
             total       used       free     shared    buffers     cached
Mem:        903572     550516     353056       2112      33820     122656
-/+ buffers/cache:     394040     509532
Swap:       524284          0     524284

I have an Asus RT-86U with spare USB3 M2 SSD so I just put 2GB of SWAP, SWAP size shouldn't really be a problem, you can put 512KB or 2GB swap which Linux won't care,
the old Linux rule was to make the SWAP size from 100% to 200% of your RAM depending on how little or much RAM you had, it shouldn't influence SWAP usage.

I'm using Diversion, Skynet and have DNS over TLS enabled to block adult content, my free space is always around 140,000 bytes (~71% of 512KB RAM in use)
I disabled AiProtection completely because it was making my RAM go up to 81% or more but still zero swap has been used so far (2 days up time),
I have also disabled the Ban AiProtect option on the Skynet config but I'm not really sure what this option does (asked on a previous post)

 

[martinr]

I have an Asus RT-86U with spare USB3 M2 SSD so I just put 2GB of SWAP, SWAP size shouldn't really be a problem, you can put 512KB or 2GB swap which Linux won't care,
the old Linux rule was to make the SWAP size from 100% to 200% of your RAM depending on how little or much RAM you had, it shouldn't influence SWAP usage.

I'm using Diversion, Skynet and have DNS over TLS enabled to block adult content, my free space is always around 140,000 bytes (~71% of 512KB RAM in use)
I disabled AiProtection completely because it was making my RAM go up to 81% or more but still zero swap has been used so far (2 days up time),
I have also disabled the Ban AiProtect option on the Skynet config but I'm not really sure what this option does (asked on a previous post)

The Ban AIProtect option is Skynet’s “artificial intelligence” at work: it learns from anything that AIProtection picks up that it didn’t already know about and adds it to its list of addresses to be blocked.

 

[Guido Medina]

The Ban AIProtect option is Skynet’s “artificial intelligence” at work: it learns from anything that AIProtection picks up that it didn’t already know about and adds it to its list of addresses to be blocked.

Deriving few questions from your answer:

• how important it is to have AiProtection enabled if you are using Skynet?
• how much weight has AiProtection on Skynet?
• if I have disabled completely AiProtection is there any point on enabling "Ban AIProtect" option on Skynet?
• and finally how sufficient Skynet is without AiProtection and Diversion hosts plus, also add the fact that I'm using DNS over TLS with security and optionally adult filters.

My intention is to completely replace AiProtection with Skynet and Diversion hosts plus and DNS over TLS security filter, and I missing much by doing this?

 

[SomeWhereOverTheRainBow]

Deriving few questions from your answer:

• how important it is to have AiProtection enabled if you are using Skynet?
• how much weight has AiProtection on Skynet?
• if I have disabled completely AiProtection is there any point on enabling "Ban AIProtect" option on Skynet?
• and finally how sufficient Skynet is without AiProtection and Diversion hosts plus, also add the fact that I'm using DNS over TLS with either security filter and optionally adult filter.

My intention it is to completely replace AiProtection with Skynet with Diversion hosts plus and filtered DNS over TLS, and I missing much by doing this?

You are missing the joint database/blocking provided to skynet from AiProtection and vise versa, other than that i would say no.