Skynet Skynet - Router Firewall & Security Enhancements

[SomeWhereOverTheRainBow]

what could be causing this when i update list?

 

[Adamm]

what could be causing this when i update list?
View attachment 19814

This is fixed in the latest firmware git commits and will be available in the next firmware release. A temporary fix is to run;

opkg update
opkg install coreutils-split

 

[SomeWhereOverTheRainBow]

This is fixed in the latest firmware git commits and will be available in the next firmware release. A temporary fix is to run;

opkg update
opkg install split

Unknown package 'split'.
Collected errors:
 * opkg_install_cmd: Cannot install package split.

i get this after updating packages

would it be

opkg install coreutils-split

*edit* i installed coreutils-split
for some reason entware doesn't properly identify the package for split when given

opkg install split

but

opkg install coreutils-split

works
here is picture of update running successfully (though it takes 139s, makes me wonder if there is a better package for split to use...python maybe???)

 

[Adamm]

Unknown package 'split'.
Collected errors:
 * opkg_install_cmd: Cannot install package split.

i get this after updating packages

would it be

opkg install coreutils-split

*edit* i installed coreutils-split
for some reason entware doesn't properly identify the package for split when given

opkg install split

but

opkg install coreutils-split

works
here is picture of update running successfully (though it takes 139s, makes me wonder if there is a better package for split to use...python maybe???)
View attachment 19815

Coreutils-spit is the right one, I wrote the wrong thing in a hurry

Its also intentionally slower as your shared-*-Whitelist files are over 150 entries, due to dnsmasq being overloaded by nslookup requests I have to process the lists in batches.

 

[wbartels]

I think banned country blocking can be improved with another service like:
https://www.iwik.org/ipcountry/
USSES UPPERCASE COUNTRY CODES!

This service downloads the ranges directly from RIPE
For more info please read this blog:
http://blog.erben.sk/2014/02/06/country-cidr-ip-ranges/
http://blog.erben.sk/2014/01/28/generating-country-ip-ranges-lists/

Currently this url is used for The Netherlands:
http://ipdeny.com/ipblocks/data/aggregated/nl-aggregated.zone
On 9 nov 2019 contains: 4467 cidr addresses

https://www.iwik.org/ipcountry/NL.cidr
On 9 nov 2019 contains: 4949 cidr addresses

UPDATE
Strange, both url's have unique items:
http://www.molbiotools.com/listcompare.html

 

[Adamm]

I think banned country blocking can be improved with another service like:
https://www.iwik.org/ipcountry/
USSES UPPERCASE COUNTRY CODES!

This service downloads the ranges directly from RIPE
For more info please read this blog:
http://blog.erben.sk/2014/02/06/country-cidr-ip-ranges/
http://blog.erben.sk/2014/01/28/generating-country-ip-ranges-lists/

Currently this url is used for The Netherlands:
http://ipdeny.com/ipblocks/data/aggregated/nl-aggregated.zone
On 9 nov 2019 contains: 4467 cidr addresses

https://www.iwik.org/ipcountry/NL.cidr
On 9 nov 2019 contains: 4949 cidr addresses

Most likely the exact same data, we use aggregated lists which are efficiently optimized rather then the full lists;

http://ipdeny.com/ipblocks/

NEW! We offer aggregated country IP zone files downloads below. It means fewer rules and higher performance for firewalls, routers and custom solutions! DB ready table formats are coming soon!

NETHERLANDS (NL) [download zone file] Size: 76.53 KB (5013 IP blocks)

[aggregated zone file] (4467 IP blocks)

 

[wbartels]

Adamm thanks for the info!

UPDATE
I have done a comparison of the none aggregated zone.
And are now the same!

 

[wbartels]

In my situation I have blocked tr (Turkey) in Skynet because of high brute force and mail spam.
Still I have to manually add some ranges like below.
Do you know why these are not listed on http://ipdeny.com/ipblocks/data/aggregated/tr-aggregated.zone ?

91.194.53.0/24
45.93.247.0/24

 

[Adamm]

In my situation I have blocked tr (Turkey) in Skynet because of high brute force and mail spam.
Still I have to manually add some ranges like below.
Do you know why these are not listed on http://ipdeny.com/ipblocks/data/aggregated/tr-aggregated.zone ?

91.194.53.0/24
45.93.247.0/24

I assume its based on how they source their data upstream. As per their website;

All country IP block files are provided in CIDR format, at this time. Please note that we compile these lists from regional IP space providers. To correct any errors please contact your local IP space provider e.g. for Europe it's Ripe, for North America it's Arin.

 

[Datalink]

@Adamm are Skynet's country block lists updated updated on a weekly basis or if you run a blocklist update? Or, are the lists downloaded when you enter the country codes, and then remain as a static IP block list from that point? I would think that the actual country IP assignments change over time, just wondering if those changes are updated within Skynet at some point?

 

[Adamm]

@Adamm are Skynet's country block lists updated updated on a weekly basis or if you run a blocklist update? Or, are the lists downloaded when you enter the country codes, and then remain as a static IP block list from that point? I would think that the actual country IP assignments change over time, just wondering if those changes are updated within Skynet at some point?

Its just a once off function, from my understanding they rarely change so an auto-update feature probably isn't needed;

It depends on how what regions you are interested in. IP addresses are first assigned from IANA to RIRs (there is one RIR per continent). Those RIRs can then distribute the IP ranges to LIRs (companies or organizations giving out IP ranges to "end customers").

IP ranges can be given back from the LIRs to the RIRs. But the RIRs (almost never) will give the ranges back to IANA since they split up their /8 range to several LIRs.

So you can say that the IP range will stay on one continent. And once they are assigned they rarely move from one customer to another (and with this from one country to another).

 

[wbartels]

Its just a once off function, from my understanding they rarely change so an auto-update feature probably isn't needed;

I will monitor it for a while and come back to it later.
Sorry I'm not a bash programmer

#!/bin/bash
old=$(date -d yesterday +"%Y-%m-%d")
new=$(date +"%Y-%m-%d")

curl -sf --retry 3 http://ipdeny.com/ipblocks/data/aggregated/tr-aggregated.zone > /data/Downloads/zone_tr_${new}.txt
diff=$(diff --suppress-common-lines -y "/data/Downloads/zone_tr_${old}.txt" "/data/Downloads/zone_tr_${new}.txt")

if [ "${diff}"  != "" ]
then
    echo "${diff}" > "/data/Downloads/diff_tr_${new}.txt"
fi

 

[wbartels]

Hello Adamm,
I have a feature request. At the moment Skynet supports a ton of options for manual bans. Still I'm missing a feature to ban an entire ASN range. Because ASN ranges can change an Auto-Updates feature would also be very welcome. What do you think of this?

For now I use this little script to output all IPv4 addresses from a defined ASN range. And copy these manual to an netset.

#!/bin/bash
ASN="$1"

for s in $(whois -H -h riswhois.ripe.net -- -F -K -i $ASN | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/(?:[0-9]|[1-2][0-9]|3[0-2])'); do
    echo "$s ;$ASN"
done

 

[rgnldo]

@Adamm what is the difference between Skynet and Suricata?

 

[Adamm]

@Adamm what is the difference between Skynet and Suricata?

Suricata is an IPS/IDA system which puts it in the same category as AiProtect. Skynet is a blacklist based solution.

Plus the fact they have over 100 developers working on the project along with significant financial backing

 

[^Tripper^]

Plus the fact they have over 100 developers working on the project along with significant financial backing

Yes, but do they have the gratitude, awe and respect that we have for you?

 

[johnathonm]

Hi Adamm,

I am running into a weird issue when updating blacklists etc. I have attached the error and the debug output. I have tried uninstalling, reinstalling, forcing a reinstall etc.

Thanks,

J

 

[Adamm]

Hi Adamm,

I am running into a weird issue when updating blacklists etc. I have attached the error and the debug output. I have tried uninstalling, reinstalling, forcing a reinstall etc.

Thanks,

J

Seems like your "/jffs/.sys/AiProtectionMonitor/AiProtectionMonitor.db" database exists (AiProtect logs) but is either empty or formatted differently.

I am going to assume the former and say the simple solution would be to delete the file followed by a reboot so it regenerates.

 

[bitmonster]

If I pass the router log via Syslog to a PC or something running a Syslog server, is it possible to get analysis of the firewall logs? Just for general interest.

I have installed Kiwi Syslog in Windows 10 but haven't got it working yet, although I would like something that can specifically analyse firewall and other system log information.

 

[dugaduga]

@Adamm, I see a lot of torrent trackers blocked via coinlist and ransomware lists; are these trackers infected or just serving user hosted torrents that may contain risks? what do you recommend, regarding whitelisting?