Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

This does not work.
The menu starts to load, "waiting for ntp sync" and then exits.

Sounds like you need to resolve your NTP issues then as Skynet will fail to function without an accurate clock (and have you wait 5 minutes on what appears to be a blank screen while constantly rechecking).

 

[Ubimo]

I can't resolve ntp due to no internet connection. My ISP has a connection problem.
It has to be possible to stop or uninstall skynet on a router without an internet connection!?

 

[Adamm]

skynet@RT-AX88U-DC28:/tmp/home/root# echo "AgMAAAAAAAAADzE0OS4xNTQuMTUzLjE1MyA-GhoPbFPz6XpJLVcIS1uYBwWe4FerFQWHb9g_2j24OBhhZGZyZWUudXNhYmxlcHJpdmFjeS5uZXQKL2Rucy1xdWVyeQ" | openssl enc -a -d
skynet@RT-AX88U-DC28:/tmp/home/root#

This is not standard Base64, but URL safe Base64, encoding is simple:
replace + with -
replace / with _
and delete trailing =
Decoding is more difficult, because the = need to be reconstructed.
Below I will post my PHP solution, witch could be rewritten for Shell script:

//  +------------------------------------------------------------------------+
//  | base64url encode                                                       |
//  +------------------------------------------------------------------------+
function base64url_encode($string) {
    // http://www.ietf.org/rfc/rfc4648.txt
    return rtrim(strtr(base64_encode($string), '+/', '-_'), '=');
}


//  +------------------------------------------------------------------------+
//  | base64url decode                                                       |
//  +------------------------------------------------------------------------+
function base64url_decode($string) {
    // Thanks gutzmer at usa dot net
    // http://php.net/manual/en/function.base64-encode.php#103849
    return base64_decode(str_pad(strtr($string, '-_', '+/'), strlen($string) % 4, '=', STR_PAD_RIGHT));
}

I guess my workaround was unnecessarily lazy at the time

https://github.com/Adamm00/IPSet_ASUS/commit/cd872ad4c22490c7fe271d6d22f6bdfed0cc381d

I can't resolve ntp due to no internet connection. My ISP has a connection problem.
It has to be possible to stop or uninstall skynet on a router without an internet connection!?

If there is no internet connection, Skynet will time out and not complete its startup procedure after 5 minutes. With that being said, I've added a ntp sync exception for the uninstall and disable commands;

https://github.com/Adamm00/IPSet_ASUS/commit/0166a908d49f7b7c7b180bc92cd4d9d33d883766

 

[Ubimo]

Ok, thanks for that, but how can I disable or uninstall Skynet in my situation now?
I don't have an internet connection.
Edit:
Disabling JFFS custom scripts and configs did not work?
Will format JFFS disable or uninstall Skynet?

 

[Adamm]

Ok, thanks for that, but how can I disable or uninstall Skynet in my situation now?
I don't have an internet connection.

Reboot and it will time out after 5 mins during startup

 

[Ubimo]

Did that, but in syslog I still see lots of kernel DROP IN=eth0 .....
I thought this is still Skynet blocking something?

 

[Adamm]

Did that, but in syslog I still see lots of kernel DROP IN=eth0 .....
I thought this is still Skynet blocking something?

No, that is the default SPI firewall dropped logging messages that Skynet would normally hijack and manage.

 

[Chuckles67]

I have a question about Skynet IOT blocking versus [AiProtection > Parental Control > Time Scheduling > deny internet access] for specific devices. Is Skynet's IOT blocking somehow different from using AiProtection to deny internet access? Perhaps Skynet enables logging so you can investigate what the IOT devices are doing on the internet? Good idea to disable AiProtection, when using Skynet IOT blocking - or use both at the same time?

Background: I have blocked several IOT devices using AiProtection's Time Scheduling. I have not added these devices to the IOT blocking feature of Skynet. I did try a search on this thread, but "IOT" is so common the search wasn't useful.

 

[martinr]

I have a question about Skynet IOT blocking versus [AiProtection > Parental Control > Time Scheduling > deny internet access] for specific devices. Is Skynet's IOT blocking somehow different from using AiProtection to deny internet access? Perhaps Skynet enables logging so you can investigate what the IOT devices are doing on the internet? Good idea to disable AiProtection, when using Skynet IOT blocking - or use both at the same time?

Background: I have blocked several IOT devices using AiProtection's Time Scheduling. I have not added these devices to the IOT blocking feature of Skynet. I did try a search on this thread, but "IOT" is so common the search wasn't useful.

While you’re waiting for a more detailed addressing of your questions, if you haven’t already seen it, here’s Adamm’s intro to the IOT feature.

https://www.snbforums.com/threads/r...urity-enhancements.16798/page-198#post-461835

 

[Chuckles67]

While you’re waiting for a more detailed addressing of your questions, if you haven’t already seen it, here’s Adamm’s intro to the IOT feature.

https://www.snbforums.com/threads/r...urity-enhancements.16798/page-198#post-461835

Thanks - that's really helpful.

Not so relevant to my question - but looks like the command to list unblocked/blocked devices may have changed from the guidance on the intro web page: from this

/jffs/scripts/firewall settings iot list

to

/jffs/scripts/firewall settings iot view

 

[randomName]

Just occurred to me while browsing through my router settings, and in the firewall settings 'Respond ICMP Echo (ping) Request from WAN' is an option, and I've had it set to 'No' In my QoS settings I'm running 'Traditional QoS' and under the drop-down 'user-defined priorities' ICMP is one of the options to help a game run smooth. And I do have it checked. So are these conflicting, with the way I have it set up?

Thanks

 

[Skillz]

Hi, I've recently started using Skynet and would like to know if Skynet for whatever reason doesn't load/upgrade properly (or even crashes), will the default firewall settings of the router always be active?
And another question, if an external IP is pounding my firewall and it's not in any of the known ip lists, will it then automatically be blocked (because of brute force protection?)

thank you for reading

 

[wbartels]

I guess my workaround was unnecessarily lazy at the time

https://github.com/Adamm00/IPSet_ASUS/commit/cd872ad4c22490c7fe271d6d22f6bdfed0cc381d

Your code is missing the trailing padding.
Here is a way to reconstruct the padding (converted from the previous posted PHP code):

hash='12345'
echo -n "$hash"; echo '====' | cut -c-$(($(echo -n "$hash" | wc -m) % 4))

 

[Adamm]

Your code is missing the trailing padding.
Here is a way to reconstruct the padding (converted from the previous posted PHP code):

hash='12345'
echo -n "$hash"; echo '====' | cut -c-$(($(echo -n "$hash" | wc -m) % 4))

I'm not sure padding is required in our use case, nor does the provided example work with the stamps below;

https://tools.ietf.org/html/rfc4648

https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md

 

[Adamm]

Not so relevant to my question - but looks like the command to list unblocked/blocked devices may have changed from the guidance on the intro web page: from this

/jffs/scripts/firewall settings iot list

to

/jffs/scripts/firewall settings iot view

Correct, the command changed at some point and was updated accordingly in the readme which is more up-to-date then that post.

Hi, I've recently started using Skynet and would like to know if Skynet for whatever reason doesn't load/upgrade properly (or even crashes), will the default firewall settings of the router always be active?

We enhance existing functionality, so even when Skynet is disabled you are still covered by the basic stock functionality.

And another question, if an external IP is pounding my firewall and it's not in any of the known ip lists, will it then automatically be blocked (because of brute force protection?)

Assuming you disable the securemode setting and expose SSH access (which is a terrible idea), yes that is correct.

 

[wbartels]

I'm not sure padding is required in our use case, nor does the provided example work with the stamps below;

https://tools.ietf.org/html/rfc4648

https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md

openssl does not use the standard base64 encoding and decoding without the -A option:
https://stackoverflow.com/a/35296674/7484547

With the examples below, you see that without the padding the last character is missing.
In your case padding is not strict required.

Without padding

#!/bin/sh
base64=$(echo 'sdns://AQIAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20' | sed "s~'~~g;s~sdns://~~g;s~-~+~g;s~_~/~g")
echo "Base64: $base64"
echo "Decode: $(echo $base64 | openssl enc -base64 -d)"

Output:

Base64: AQIAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR/JS3PLCu/iZEIbq95zkSV2LFsigxDIuUso/OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20
Decode: 176.103.130.130:5443 ?+G?R??»???????I]?Ƞ?2.R??s"2.dnscrypt.default.ns1.adguard.c

With trailing padding:

#!/bin/sh
base64=$(echo 'sdns://AQIAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20' | sed "s~'~~g;s~sdns://~~g;s~-~+~g;s~_~/~g")
base64="$base64$(echo '====' | cut -c-$(($(echo -n "$base64" | wc -m) % 4)))"
echo "Base64: $base64"
echo "Decode: $(echo $base64 | openssl enc -base64 -d -A)"

Output:

Base64: AQIAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR/JS3PLCu/iZEIbq95zkSV2LFsigxDIuUso/OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20===
Decode: 176.103.130.130:5443 ?+G?R??»???????I]?Ƞ?2.R??s"2.dnscrypt.default.ns1.adguard.com

 

[Skillz]

@Adamm thank you for answering my questions.

Assuming you disable the securemode setting and expose SSH access (which is a terrible idea), yes that is correct

hmm I am actually using ssh tunneling, different port and only with 2048bit RSA key (with passphrase) access, should be quite save right? Password ssh access is ofc turned off in router options.

But I guess that means I don't have brute force protection because I needed to turn off secure mode. Why can't brute force protection be active with ssh access enabled?

 

[Adamm]

hmm I am actually using ssh tunneling, different port and only with 2048bit RSA key (with passphrase) access, should be quite save right? Password ssh access is ofc turned off in router options.

Safer then a password? Sure, but you are still exposing the service to the world, so in the event of a 0 day dropbear exploit you would be vulnerable. That's why using OpenVPN to access your lan is the recommended method.

But I guess that means I don't have brute force protection because I needed to turn off secure mode. Why can't brute force protection be active with ssh access enabled?

BFD is always enabled so long as its set in the WebUI.

 

[Adamm]

openssl does not use the standard base64 encoding and decoding without the -A option:
https://stackoverflow.com/a/35296674/7484547

With the examples below, you see that without the padding the last character is missing.
In your case padding is not strict required.

Without padding

#!/bin/sh
base64=$(echo 'sdns://AQIAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20' | sed "s~'~~g;s~sdns://~~g;s~-~+~g;s~_~/~g")
echo "Base64: $base64"
echo "Decode: $(echo $base64 | openssl enc -base64 -d)"

Output:

Base64: AQIAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR/JS3PLCu/iZEIbq95zkSV2LFsigxDIuUso/OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20
Decode: 176.103.130.130:5443 ?+G?R??»???????I]?Ƞ?2.R??s"2.dnscrypt.default.ns1.adguard.c

With trailing padding:

#!/bin/sh
base64=$(echo 'sdns://AQIAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20' | sed "s~'~~g;s~sdns://~~g;s~-~+~g;s~_~/~g")
base64="$base64$(echo '====' | cut -c-$(($(echo -n "$base64" | wc -m) % 4)))"
echo "Base64: $base64"
echo "Decode: $(echo $base64 | openssl enc -base64 -d -A)"

Output:

Base64: AQIAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR/JS3PLCu/iZEIbq95zkSV2LFsigxDIuUso/OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20===
Decode: 176.103.130.130:5443 ?+G?R??»???????I]?Ƞ?2.R??s"2.dnscrypt.default.ns1.adguard.com

Ah I misread how you use a newline after the initial echo and that's why my result was different. While the outcome is still the same due to our filtering afterwards, I've gone ahead and pushed the "more correct" method into v7.1.8

 

[CriticJay]

Hi Adamm,

I doubt this has anything to do with 7.1.8 but when viewing stats on the console (not webui) I got the following message:

230x | 87.251.74.41 ({
"errorCode": "OVER_QUERY_LIMIT",
"error": "maximum number of queries per day exceeded"
}) | https://otx.alienvault.com/indicator/ip/87.251.74.41 | BanMalware: alie