Skynet Skynet - Router Firewall & Security Enhancements

[Butterfly Bones]

I have had a script add on boondoggle this morning, what fun.

Finaly removed the SSD that was running everything, went back to the USB thumb drive I used before. Had to format it on my Linux box, then was able to format it with AMTM.

Now Skynet thinks it installed, how can I get whatever the @#$%&! causes this removed?!

#########################################################################################################
#                                                                                                       #
#                  ███████╗██╗  ██╗██╗   ██╗███╗   ██╗███████╗████████╗    ██╗   ██╗███████╗            #
#                  ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗  ██║██╔════╝╚══██╔══╝    ██║   ██║╚════██║            #
#                  ███████╗█████╔╝  ╚████╔╝ ██╔██╗ ██║█████╗     ██║       ██║   ██║    ██╔╝            #
#                  ╚════██║██╔═██╗   ╚██╔╝  ██║╚██╗██║██╔══╝     ██║       ╚██╗ ██╔╝   ██╔╝             #
#                  ███████║██║  ██╗   ██║   ██║ ╚████║███████╗   ██║        ╚████╔╝    ██║              #
#                  ╚══════╝╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═══╝╚══════╝   ╚═╝         ╚═══╝     ╚═╝              #
#                                                                                                       #
#                                 Router Firewall And Security Enhancements                             #
#                             By Adamm -  https://github.com/Adamm00/IPSet_ASUS                         #
#                                            20/02/2020 - v7.1.1                                        #
#########################################################################################################
Skynet: [*] USB Not Found - Sleeping For 10 Seconds ( Attempt 1 Of 10 )
Skynet: [*] USB Not Found - Sleeping For 10 Seconds ( Attempt 2 Of 10 )

The USB was formatted three times, with a fresh install of AMTM and Diversion.

 

[SuperDuke]

I have had a script add on boondoggle this morning, what fun.

Finaly removed the SSD that was running everything, went back to the USB thumb drive I used before. Had to format it on my Linux box, then was able to format it with AMTM.

Now Skynet thinks it installed, how can I get whatever the @#$%&! causes this removed?!

#########################################################################################################
#                                                                                                       #
#                  ███████╗██╗  ██╗██╗   ██╗███╗   ██╗███████╗████████╗    ██╗   ██╗███████╗            #
#                  ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗  ██║██╔════╝╚══██╔══╝    ██║   ██║╚════██║            #
#                  ███████╗█████╔╝  ╚████╔╝ ██╔██╗ ██║█████╗     ██║       ██║   ██║    ██╔╝            #
#                  ╚════██║██╔═██╗   ╚██╔╝  ██║╚██╗██║██╔══╝     ██║       ╚██╗ ██╔╝   ██╔╝             #
#                  ███████║██║  ██╗   ██║   ██║ ╚████║███████╗   ██║        ╚████╔╝    ██║              #
#                  ╚══════╝╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═══╝╚══════╝   ╚═╝         ╚═══╝     ╚═╝              #
#                                                                                                       #
#                                 Router Firewall And Security Enhancements                             #
#                             By Adamm -  https://github.com/Adamm00/IPSet_ASUS                         #
#                                            20/02/2020 - v7.1.1                                        #
#########################################################################################################
Skynet: [*] USB Not Found - Sleeping For 10 Seconds ( Attempt 1 Of 10 )
Skynet: [*] USB Not Found - Sleeping For 10 Seconds ( Attempt 2 Of 10 )

The USB was formatted three times, with a fresh install of AMTM and Diversion.

This happened to me once. You may have to start from new unfortunately. Unless maybe from the command line you uninstall Skynet and then reinstall from amtm…...give that a go.....

 

[skeal]

I have had a script add on boondoggle this morning, what fun.

Finaly removed the SSD that was running everything, went back to the USB thumb drive I used before. Had to format it on my Linux box, then was able to format it with AMTM.

Now Skynet thinks it installed, how can I get whatever the @#$%&! causes this removed?!

#########################################################################################################
#                                                                                                       #
#                  ███████╗██╗  ██╗██╗   ██╗███╗   ██╗███████╗████████╗    ██╗   ██╗███████╗            #
#                  ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗  ██║██╔════╝╚══██╔══╝    ██║   ██║╚════██║            #
#                  ███████╗█████╔╝  ╚████╔╝ ██╔██╗ ██║█████╗     ██║       ██║   ██║    ██╔╝            #
#                  ╚════██║██╔═██╗   ╚██╔╝  ██║╚██╗██║██╔══╝     ██║       ╚██╗ ██╔╝   ██╔╝             #
#                  ███████║██║  ██╗   ██║   ██║ ╚████║███████╗   ██║        ╚████╔╝    ██║              #
#                  ╚══════╝╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═══╝╚══════╝   ╚═╝         ╚═══╝     ╚═╝              #
#                                                                                                       #
#                                 Router Firewall And Security Enhancements                             #
#                             By Adamm -  https://github.com/Adamm00/IPSet_ASUS                         #
#                                            20/02/2020 - v7.1.1                                        #
#########################################################################################################
Skynet: [*] USB Not Found - Sleeping For 10 Seconds ( Attempt 1 Of 10 )
Skynet: [*] USB Not Found - Sleeping For 10 Seconds ( Attempt 2 Of 10 )

The USB was formatted three times, with a fresh install of AMTM and Diversion.

Go through your jffs and remove entries written to scripts by skynet then try again.

 

[Butterfly Bones]

Go through your jffs and remove entries written to scripts by skynet then try again.

That was it. Thanks

 

[Rhialto]

Interesting. Is there some reason that Port 23 gets knocked on considerably more than all the others (it seems)?

View attachment 21468

I've asked @Adamm in a previous post if we will be able to click port number in charts linked to something like https://www.grc.com/port_23.htm to learn more about ports in a future version.

 

[frooty]

That was it. Thanks

Would you be so kind as to tell me the steps to do this? My skynet hasn't worked since updating it Despite me reinstalling, etc. The UI says no connections & no data to display & logs are showing this:

"rc: received unrecognized event: SkynetStats"

Any help would be very much appreciated.

 

[Treadler]

My 2nd most blocked port is 123, i.e. time synchronisation port. What gives?!

Seems to be a popular target for the baddies!

 

[cmkelley]

My 2nd most blocked port is 123, i.e. time synchronisation port. What gives?!

Seems to be a popular target for the baddies!

Because bugs hang around for a very long time on the internet. Internet-facing NTP servers of a certain vintage and default configuration could be used as weapons in a DDOS attack. They're looking for vulnerable NTP servers.

 

[Butterfly Bones]

I've asked @Adamm in a previous post if we will be able to click port number in charts linked to something like https://www.grc.com/port_23.htm to learn more about ports in a future version.

I do not have Skynet graphs enabled after my boondoggle this morning, but this shows in Skynet Stats, and I *think* it is the the text based info about targeted ports. I can click it, but I run Linux on my desktop and use a Linux x-term to ssh into my AC86U, may that makes a difference. Here is the link for your information.

https://www.speedguide.net/port.php?port=23

 

[Butterfly Bones]

Would you be so kind as to tell me the steps to do this? My skynet hasn't worked since updating it Despite me reinstalling, etc. The UI says no connections & no data to display & logs are showing this:

"rc: received unrecognized event: SkynetStats"

Any help would be very much appreciated.

You have some very different issue with log entry, I have never seen that before.

What I did after @skeal gave my bum a swift kick (definitely deserved )
I deleted the firewall and firewall-start scripts.

I do NOT recommend you do that!!!!!.

***** THAT IS NOT THE SOLUTION TO YOUR ISSUE!!!!!*****

 

[dave14305]

"rc: received unrecognized event: SkynetStats"

This is normal because it means the UI or a Skynet cron job are triggering the generation of stats. That message is a side effect of the new add-on API interacting with the base firmware. Do you see other “service-event” messages at the same time?

 

[Rhialto]

I do not have Skynet graphs enabled after my boondoggle this morning, but this shows in Skynet Stats, and I *think* it is the the text based info about targeted ports. I can click it, but I run Linux on my desktop and use a Linux x-term to ssh into my AC86U, may that makes a difference. Here is the link for your information.

https://www.speedguide.net/port.php?port=23

Yes available in terminal mode but not in GUI... yet.

 

[Chris_J]

Wondered whether someone could help me understand what is going on with my setup, or whether this is normal. I had Skynet set up to filter only inbound connections, but earlier this week, I decided to see how everything works with filtering inbound and outbound (all). Two things happened:

• Inbound blocks now displays 0 on the GUI. I though this was because maybe it reset the stats when I changed the settings, but the logs still have plenty of entries for inbound when viewing at the command line (i.e. option 13 > 1 > 3).
  
• After only a few days, I have over 8K of outbound blocks. It's great that Skynet is doing its job, but does this mean I have something sketchy going on inside my network!?

 

[Ubimo]

Wondered whether someone could help me understand what is going on with my setup, or whether this is normal. I had Skynet set up to filter only inbound connections, but earlier this week, I decided to see how everything works with filtering inbound and outbound (all). Two things happened:

• Inbound blocks now displays 0 on the GUI. I though this was because maybe it reset the stats when I changed the settings, but the logs still have plenty of entries for inbound when viewing at the command line (i.e. option 13 > 1 > 3).
  
• After only a few days, I have over 8K of outbound blocks. It's great that Skynet is doing its job, but does this mean I have something sketchy going on inside my network!?

Do you have an IP camera?
Most IP cameras try to "phone" home. (maybe to a chinese server)
This server IP may be blocked by skynet. (it's in a list)

 

[Adamm]

I've asked @Adamm in a previous post if we will be able to click port number in charts linked to something like https://www.grc.com/port_23.htm to learn more about ports in a future version.

Not currently possible with how the charts are generated.

Inbound blocks now displays 0 on the GUI. I though this was because maybe it reset the stats when I changed the settings, but the logs still have plenty of entries for inbound when viewing at the command line (i.e. option 13 > 1 > 3).

The counter is reset during a firewall restart event, reboot or other similar situations.

After only a few days, I have over 8K of outbound blocks. It's great that Skynet is doing its job, but does this mean I have something sketchy going on inside my network!?

Completely normal, welcome to modern internet background noise. Those are bots scanning your IP for vulnerabilities.

 

[Ubimo]

After only a few days, I have over 8K of outbound blocks. It's great that Skynet is doing its job, but does this mean I have something sketchy going on inside my network!?

Those are bots scanning your IP for vulnerabilities.

Good morning Adamm!
Chris_J wrote "outbound blocks" and "inside my network". I doubt he himself has bots running...
Maybe now is a good time to get some coffee?

 

[Adamm]

Wondered whether someone could help me understand what is going on with my setup, or whether this is normal. I had Skynet set up to filter only inbound connections, but earlier this week, I decided to see how everything works with filtering inbound and outbound (all). Two things happened:

• Inbound blocks now displays 0 on the GUI. I though this was because maybe it reset the stats when I changed the settings, but the logs still have plenty of entries for inbound when viewing at the command line (i.e. option 13 > 1 > 3).
  
• After only a few days, I have over 8K of outbound blocks. It's great that Skynet is doing its job, but does this mean I have something sketchy going on inside my network!?

Good morning Adamm!
Chris_J wrote "outbound blocks" and "inside my network". I doubt he himself has bots running...
Maybe now is a good time to get some coffee?

Ah I read the first line of his post too fast where he mentioned inbound only. In that case you should investigate the outbound IP's with the most hits and see both whats being blocked and device is attempting to make the connections.

If you post the output of the following I can take a look;

sh /jffs/scripts/firewall stats

 

[cmkelley]

Wondered whether someone could help me understand what is going on with my setup, or whether this is normal. I had Skynet set up to filter only inbound connections, but earlier this week, I decided to see how everything works with filtering inbound and outbound (all). Two things happened:

• Inbound blocks now displays 0 on the GUI. I though this was because maybe it reset the stats when I changed the settings, but the logs still have plenty of entries for inbound when viewing at the command line (i.e. option 13 > 1 > 3).
  
• After only a few days, I have over 8K of outbound blocks. It's great that Skynet is doing its job, but does this mean I have something sketchy going on inside my network!?

Do you have an IP camera?
Most IP cameras try to "phone" home. (maybe to a chinese server)
This server IP may be blocked by skynet. (it's in a list)

IIRC, the Amazon Echo is notorious for this as well.

 

[Chris_J]

Thanks, Adamm. Yes, this is over 8000 blocks from internet devices. I have several smart plugs (isolated on a guest IoT network), so maybe these are the culprits?

=============================================================================================================

Last 10 Unique Connections Blocked (Outbound);

--------------       | --------------                                          | --------------                        
| IP Address |       | | AlienVault |                                          | | Ban Reason |                        
--------------       | --------------                                          | --------------                        

185.126.112.98  (UA) | https://otx.alienvault.com/indicator/ip/185.126.112.98  | Country: cn cz br hk kp kr mx ro ru ua*
45.127.112.23   (US) | https://otx.alienvault.com/indicator/ip/45.127.112.23   | Country: cn cz br hk kp kr mx ro ru ua*
185.82.172.118  (RO) | https://otx.alienvault.com/indicator/ip/185.82.172.118  | Country: cn cz br hk kp kr mx ro ru ua*
185.184.223.140 (BR) | https://otx.alienvault.com/indicator/ip/185.184.223.140 | *                                    
45.127.113.23   (US) | https://otx.alienvault.com/indicator/ip/45.127.113.23   | *                                    
202.89.233.97   (CN) | https://otx.alienvault.com/indicator/ip/202.89.233.97   | *                                    
200.229.248.10  (BR) | https://otx.alienvault.com/indicator/ip/200.229.248.10  | Country: cn cz br hk kp kr mx ro ru ua*
200.189.41.10   (BR) | https://otx.alienvault.com/indicator/ip/200.189.41.10   | *                                    
200.219.159.10  (BR) | https://otx.alienvault.com/indicator/ip/200.219.159.10  | *                                    
200.219.154.10  (BR) | https://otx.alienvault.com/indicator/ip/200.219.154.10  | *                                    

=============================================================================================================

Last 10 Unique HTTP(s) Blocks (Outbound);

--------------       | --------------                                          | --------------                        
| IP Address |       | | AlienVault |                                          | | Ban Reason |                        
--------------       | --------------                                          | --------------                        

191.232.139.2   (IE) | https://otx.alienvault.com/indicator/ip/191.232.139.2   | *                                    
101.37.45.168   (CN) | https://otx.alienvault.com/indicator/ip/101.37.45.168   | *            

=============================================================================================================

Top 10 HTTP(s) Blocks (Outbound);

--------   | --------------       | --------------                                          | --------------          
| Hits |   | | IP Address |       | | AlienVault |                                          | | Ban Reason |          
--------   | --------------       | --------------                                          | --------------          

150x       | 101.37.45.168   (CN) | https://otx.alienvault.com/indicator/ip/101.37.45.168   | *                        
70x        | 191.232.139.2   (IE) | https://otx.alienvault.com/indicator/ip/191.232.139.2   | *                        

=============================================================================================================

Top 10 Blocks (Outbound);

--------   | --------------       | --------------                                          | --------------          
| Hits |   | | IP Address |       | | AlienVault |                                          | | Ban Reason |          
--------   | --------------       | --------------                                          | --------------          

503x       | 106.122.250.80  (CN) | https://otx.alienvault.com/indicator/ip/106.122.250.80  | *                        
502x       | 203.130.50.2    (CN) | https://otx.alienvault.com/indicator/ip/203.130.50.2    | *                        
502x       | 122.138.54.46   (CN) | https://otx.alienvault.com/indicator/ip/122.138.54.46   | *                        
453x       | 37.235.105.200  (CZ) | https://otx.alienvault.com/indicator/ip/37.235.105.200  | *                        
453x       | 37.235.105.100  (CZ) | https://otx.alienvault.com/indicator/ip/37.235.105.100  | *                        
198x       | 203.119.159.121 (CN) | https://otx.alienvault.com/indicator/ip/203.119.159.121 | *                        
195x       | 106.11.41.153   (CN) | https://otx.alienvault.com/indicator/ip/106.11.41.153   | *                        
192x       | 140.205.29.116  (CN) | https://otx.alienvault.com/indicator/ip/140.205.29.116  | *                        
188x       | 140.205.1.6     (CN) | https://otx.alienvault.com/indicator/ip/140.205.1.6     | *                        
187x       | 121.29.51.141   (CN) | https://otx.alienvault.com/indicator/ip/121.29.51.141   | *                        

=============================================================================================================

Top 10 IOT Blocks (Outbound);

--------   | --------------       | --------------                                          | --------------          
| Hits |   | | IP Address |       | | AlienVault |                                          | | Ban Reason |          
--------   | --------------       | --------------                                          | --------------          

19x        | 3.83.64.110     (US) | https://otx.alienvault.com/indicator/ip/3.83.64.110     | Country: cn cz br hk kp kr
4x         | 212.58.244.81   (GB) | https://otx.alienvault.com/indicator/ip/212.58.244.81   | *                        
1x         | 52.57.38.165    (DE) | https://otx.alienvault.com/indicator/ip/52.57.38.165    | *                        

=============================================================================================================

Top 10 Blocked Devices (Outbound);

--------   | ------------     | ---------------                                            
| Hits |   | | Local IP |     | | Device Name |                                            
--------   | ------------     | ---------------                                            

7104x      | 192.168.178.2    | RT-AC86U                                                  
156x       | 192.168.1.152    | AndroidProjector                                                  
70x        | 192.168.1.50     | NIX                                                        

=============================================================================================================

 

[EmeraldDeer]

This obfuscation of real threats is a side effect of blocking by country. Oh well.