Skynet Skynet - Router Firewall & Security Enhancements

[Kingp1n]

Its much safer and recommended to keep SSH access as LAN only and use OpenVPN to access your home network remotely.

@Adamm, I apologize in advance for the really noob question...how/where can I find instructions how to use OpenVPN to access my home network remotely? I'm currently have RT-AC86U. Thanks!

 

[L&LD]

@Adamm, I apologize in advance for the really noob question...how/where can I find instructions how to use OpenVPN to access my home network remotely? I'm currently have RT-AC86U. Thanks!

Create your free Asus DDNS account on the WAN, DDNS tab.

Go to the VPN, VPN Server tab and turn on/enable Server 1 on the OpenVPN tab.

Select the 2048 radio button for the RSA Encryption level.

Select the LAN only, Internet-only or Both radio button for the Client will use VPN to access option.

Click the VPN Details drop down box to select Advanced Settings.

Click Apply at the bottom of the page to accept all the defaults.

Add a user with the password that you want to be able to access this router with.

Select Apply at the bottom of this page too.

Export the OpenVPN configuration and import it into the device you will use to access your network from.

 

[martinr]

@Adamm, I apologize in advance for the really noob question...how/where can I find instructions how to use OpenVPN to access my home network remotely? I'm currently have RT-AC86U. Thanks!

I wrote up something the other day

https://www.snbforums.com/threads/portforward.55507/#post-471117

It’s not been tried yet, but between that and L&LD’s guide, you should be fine. If there’s any difference between mine and L&LD’s guide, please go with his advice. And let us both know if anything needs changing, clarifying or expanding, so others can benefit.

 

[Adamm]

I've pushed v6.8.0

Add banmalware list name to ban reason
Display ban reason in stats table

Note; CIDR ban reasons won't show up for now.

 

[Zonkd]

I've pushed v6.8.0

Note; CIDR ban reasons won't show up for now.

Wow so much info! It’s just getting better. Can I make text wrap in my terminal window somehow? There’s so much text it chops off. I was never able to see associated domains without making terminal window fill the screen with reduced text size.

 

[Adamm]

Wow so much info! It’s just getting better. Can I make text wrap in my terminal window somehow? There’s so much text it chops off. I was never able to see associated domains without making terminal window fill the screen with reduced text size.

Unfortunately with how the tables work the current implementation is the best available, skynet actually disables wrap completely to avoid it looking like this instead;

Spoiler

 

[Zonkd]

Unfortunately with how the tables work the current implementation is the best available, skynet actually disables wrap completely to avoid it looking like this instead;

Spoiler

Ok thanks Adamm

 

[Adamm]

I pushed v6.8.1

Show CIDR ban reasons

I caved and couldn't handle CIDR reasons not showing... much better now

 

[Zonkd]

I pushed v6.8.1

Show CIDR ban reasons

I caved and couldn't handle CIDR reasons not showing... much better now

Haha I had been silently wishing for this but I didn’t want to be too demanding! I ban a lot of countries. Now I can see which outblock blocks were related to that and which were related to genuine banmalware.

What does the asterisk * reason mean??

 

[pattiri]

Why some of them are "*"?

 

[Adamm]

What does the asterisk * reason mean??

Why some of them are "*"?

The * is supposed to be after CIDR matches to indicate it may appear on multiple lists. As these are invalid packets they don't appear on any blacklist (generally speaking).

 

[Zonkd]

OK so reasons differ between the firewall stats search and general firewall stats 20 because the packets were ALSO invalid? Note I have a country ban on Russia so IP is in Skynet-BlockedRanges. What do I look for in the logs below to see if a blocked packet was invalid?

Reason given here is just asterisk * (due to the packet being invalid?)

[$] /jffs/scripts/firewall stats 20
188.162.132.5 | https://otx.alienvault.com/indicator/ip/188.162.132.5   | *     |

Reason given here is the IP was in blocked range (due to my country ban of Russia). No indication of block due to packet being invalid.

Spoiler: Skynet Stats Search

[i] 1299 Block Events Detected
[i] 159 Unique IPs
[i] 0 Manual Bans Issued

188.162.132.5 is NOT in set Skynet-Whitelist.
188.162.132.5 is NOT in set Skynet-Blacklist.
188.162.132.5 is in set Skynet-BlockedRanges.

BlockedRanges Reason;
-*-
[i] IP Location - Russia (PJSC MegaFon / AS31163)

[i] 188.162.132.5 First Tracked On Mar 14 16:59:39
[i] 188.162.132.5 Last Tracked On Mar 14 17:57:49
[i] 60 Blocks Total

Event Log Entries From 188.162.132.5;

First Block Tracked From 188.162.132.5;
Mar 14 16:59:39 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=64550 PROTO=ICMP TYPE=8 CODE=0 ID=41 SEQ=0

10 Most Recent Blocks From 188.162.132.5;
Mar 14 17:27:38 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=31233 PROTO=ICMP TYPE=8 CODE=0 ID=45 SEQ=4
Mar 14 17:27:39 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=19649 PROTO=ICMP TYPE=8 CODE=0 ID=45 SEQ=5
Mar 14 17:29:41 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=10104 PROTO=ICMP TYPE=8 CODE=0 ID=100 SEQ=0
Mar 14 17:29:42 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=13737 PROTO=ICMP TYPE=8 CODE=0 ID=100 SEQ=1
Mar 14 17:29:43 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=16092 PROTO=ICMP TYPE=8 CODE=0 ID=100 SEQ=2
Mar 14 17:29:44 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=56846 PROTO=ICMP TYPE=8 CODE=0 ID=100 SEQ=3
Mar 14 17:29:45 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=1219 PROTO=ICMP TYPE=8 CODE=0 ID=100 SEQ=4
Mar 14 17:29:46 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=39552 PROTO=ICMP TYPE=8 CODE=0 ID=100 SEQ=5
Mar 14 17:31:04 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=28691 PROTO=ICMP TYPE=8 CODE=0 ID=174 SEQ=0
Mar 14 17:31:05 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=38886 PROTO=ICMP TYPE=8 CODE=0 ID=174 SEQ=1

 

[Adamm]

OK so reasons differ between the firewall stats search and general firewall stats 20 because the packets were ALSO invalid? Note I have a country ban on Russia so IP is in Skynet-BlockedRanges. What do I look for in the logs below to see if a blocked packet was invalid?

Reason given here is just asterisk * (due to the packet being invalid?)

[$] /jffs/scripts/firewall stats 20
188.162.132.5 | https://otx.alienvault.com/indicator/ip/188.162.132.5   | *     |

Reason given here is the IP was in blocked range (due to my country ban of Russia). No indication of block due to packet being invalid.

Spoiler: Skynet Stats Search

[i] 1299 Block Events Detected
[i] 159 Unique IPs
[i] 0 Manual Bans Issued

188.162.132.5 is NOT in set Skynet-Whitelist.
188.162.132.5 is NOT in set Skynet-Blacklist.
188.162.132.5 is in set Skynet-BlockedRanges.

BlockedRanges Reason;
-*-
[i] IP Location - Russia (PJSC MegaFon / AS31163)

[i] 188.162.132.5 First Tracked On Mar 14 16:59:39
[i] 188.162.132.5 Last Tracked On Mar 14 17:57:49
[i] 60 Blocks Total

Event Log Entries From 188.162.132.5;

First Block Tracked From 188.162.132.5;
Mar 14 16:59:39 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=64550 PROTO=ICMP TYPE=8 CODE=0 ID=41 SEQ=0

10 Most Recent Blocks From 188.162.132.5;
Mar 14 17:27:38 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=31233 PROTO=ICMP TYPE=8 CODE=0 ID=45 SEQ=4
Mar 14 17:27:39 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=19649 PROTO=ICMP TYPE=8 CODE=0 ID=45 SEQ=5
Mar 14 17:29:41 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=10104 PROTO=ICMP TYPE=8 CODE=0 ID=100 SEQ=0
Mar 14 17:29:42 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=13737 PROTO=ICMP TYPE=8 CODE=0 ID=100 SEQ=1
Mar 14 17:29:43 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=16092 PROTO=ICMP TYPE=8 CODE=0 ID=100 SEQ=2
Mar 14 17:29:44 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=56846 PROTO=ICMP TYPE=8 CODE=0 ID=100 SEQ=3
Mar 14 17:29:45 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=1219 PROTO=ICMP TYPE=8 CODE=0 ID=100 SEQ=4
Mar 14 17:29:46 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=39552 PROTO=ICMP TYPE=8 CODE=0 ID=100 SEQ=5
Mar 14 17:31:04 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=28691 PROTO=ICMP TYPE=8 CODE=0 ID=174 SEQ=0
Mar 14 17:31:05 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=REDACTED SRC=192.168.100.5 DST=188.162.132.5 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=38886 PROTO=ICMP TYPE=8 CODE=0 ID=174 SEQ=1

The entry in question is part of a bigger CIDR range that Skynet isn't able to calculate accurately (we get close but in bash its quite hard without excessive coding). You will find the the ban reason lies with the parent CIDR range 188.162.xxx.0/xx

 

[martinr]

I've pushed v6.8.0

Note; CIDR ban reasons won't show up for now.

Thanks, Adam. My country ban list has around 30 countries and so when it displays in Ban Reason, the list spills over into the Associated Domains section. Would just stating the reason as Country Ban and not adding the complete list of banned countries would be better?

 

[Zonkd]

Thanks, Adam. My country ban list has around 30 countries and so when it displays in Ban Reason, the list spills over into the Associated Domains section. Would just stating the reason as Country Ban and not adding the complete list of banned countries would be better?

haha I thought the same thing. 34 countries banned here yet suprisingly it hasn't broken my net, nor gaming. If you want a laugh ban these countries and load up Watchdogs 2 on PS4 and see how many outbound blocks you get to all the shadiest countries. Guessing their online play operates p2p and it's hitting the ip addresses of other players as opposed to only the ip of a central server.

af br cd cu ee eg et il iq ir kp kw ky kz lb md ng pk ps qa ru sa sb sd so ss sy tr ua ug vn ye zw cn

 

[Adamm]

Thanks, Adam. My country ban list has around 30 countries and so when it displays in Ban Reason, the list spills over into the Associated Domains section. Would just stating the reason as Country Ban and not adding the complete list of banned countries would be better?

haha I thought the same thing. 34 countries banned here yet suprisingly it hasn't broken my net, nor gaming. If you want a laugh ban these countries and load up Watchdogs 2 on PS4 and see how many outbound blocks you get to all the shadiest countries. Guessing their online play operates p2p and it's hitting the ip addresses of other players as opposed to only the ip of a central server.

af br cd cu ee eg et il iq ir kp kw ky kz lb md ng pk ps qa ru sa sb sd so ss sy tr ua ug vn ye zw cn

Ill look into limiting the displayed # of characters in the next update

 

[Adamm]

As promised, v6.8.2

Only show first 45 chars of ban reason

 

[Zonkd]

As promised, v6.8.2

Only show first 45 chars of ban reason

Legend! Works perfectly.

 

[Undesirable]

haha I thought the same thing. 34 countries banned here yet suprisingly it hasn't broken my net, nor gaming. If you want a laugh ban these countries and load up Watchdogs 2 on PS4 and see how many outbound blocks you get to all the shadiest countries. Guessing their online play operates p2p and it's hitting the ip addresses of other players as opposed to only the ip of a central server.

af br cd cu ee eg et il iq ir kp kw ky kz lb md ng pk ps qa ru sa sb sd so ss sy tr ua ug vn ye zw cn

How do you enter that number of country codes into the script? PuTTY limits my character input when I'm at the 'Input Country Abbreviations To Ban' command. I can only type up to "SA".

 

[L&LD]

How do you enter that number of country codes into the script? PuTTY limits my character input when I'm at the 'Input Country Abbreviations To Ban' command. I can only type up to "SA".

Can't you start another ban with 'sb' on?