Skynet Skynet - Router Firewall & Security Enhancements

[Butterfly Bones]

I don't see these with my AX88U .14 beta2. Skynet is blocking your router's "outbound" connection to IP 37.120.147.2. What is the result of "firewall stats search ip 37.120.147.2 20" ?

[i] Logging Data Detected in /tmp/mnt/SNB/skynet/skynet.log - 288.0K
[i] Monitoring From Nov 22 05:32:50 To Nov 24 20:03:17
[i] 1285 Block Events Detected
[i] 139 Unique IPs
[i] 5 Manual Bans Issued
37.120.147.2 is NOT in set Skynet-Whitelist.
37.120.147.2 is NOT in set Skynet-Blacklist.
37.120.147.2 is in set Skynet-BlockedRanges.
BlockedRanges Reason;
*--
[i] IP Location - United States (M247 Ltd / AS9009)
[i] 37.120.147.2 First Tracked On Nov 24 18:52:32
[i] 37.120.147.2 Last Tracked On Nov 24 19:12:33
[i] 855 Blocks Total
Event Log Entries From 37.120.147.2;
First Block Tracked From 37.120.147.2;
Nov 24 18:52:32 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=632 
20 Most Recent Blocks From 37.120.147.2;
Nov 24 19:10:09 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=4152 
Nov 24 19:10:24 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:10:25 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:10:54 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:11:15 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:11:28 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:11:28 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:11:31 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:11:33 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:11:36 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:11:38 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:11:41 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:11:46 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:11:57 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:11:58 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:11:59 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:12:00 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:12:23 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:12:28 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Nov 24 19:12:33 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168 
Top 20 Targeted Ports From 37.120.147.2 (Inbound);
--------   | --------   | --------------                                             
| Hits |   | | Port |   | | SpeedGuide |                                             
--------   | --------   | --------------                                             
Top 20 Sourced Ports From 37.120.147.2 (Inbound);
--------   | --------   | --------------                                             
| Hits |   | | Port |   | | SpeedGuide |                                             
--------   | --------   | --------------

 

[dave14305]

It is Las Vegas
https://whois.domaintools.com/37.120.147.2
I have an Anonymous DNS set as a backup resolver for dnscrypt-proxy.

If I re-enable Skynet, it brings my entire router and network to its knees. I counted over 300 Outbound blocks in 5 seconds. I think that is trying to resolve an address via DNS? Erk.

I thought 443/udp looked odd. Don’t know much about dnscrypt though. Certainly would explain bringing down your network if dns isn’t working.

you can whitelist if you know what it really is:
37.120.147.2 is in set Skynet-BlockedRanges.

 

[bluepoint]

[i] Logging Data Detected in /tmp/mnt/SNB/skynet/skynet.log - 288.0K
[i] Monitoring From Nov 22 05:32:50 To Nov 24 20:03:17
[i] 1285 Block Events Detected
[i] 139 Unique IPs
[i] 5 Manual Bans Issued
37.120.147.2 is NOT in set Skynet-Whitelist.
37.120.147.2 is NOT in set Skynet-Blacklist.
37.120.147.2 is in set Skynet-BlockedRanges.
BlockedRanges Reason;
*--
[i] IP Location - United States (M247 Ltd / AS9009)
[i] 37.120.147.2 First Tracked On Nov 24 18:52:32
[i] 37.120.147.2 Last Tracked On Nov 24 19:12:33
[i] 855 Blocks Total
Event Log Entries From 37.120.147.2;
First Block Tracked From 37.120.147.2;
Nov 24 18:52:32 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=632
20 Most Recent Blocks From 37.120.147.2;
Nov 24 19:10:09 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=4152
Nov 24 19:10:24 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:10:25 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:10:54 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:11:15 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:11:28 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:11:28 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:11:31 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:11:33 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:11:36 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:11:38 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:11:41 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:11:46 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:11:57 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:11:58 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:11:59 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:12:00 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:12:23 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:12:28 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Nov 24 19:12:33 RT-AC86U-4608 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=xx.xx.xx.xx DST=37.120.147.2 LEN=2168
Top 20 Targeted Ports From 37.120.147.2 (Inbound);
--------   | --------   | --------------                                        
| Hits |   | | Port |   | | SpeedGuide |                                        
--------   | --------   | --------------                                        
Top 20 Sourced Ports From 37.120.147.2 (Inbound);
--------   | --------   | --------------                                        
| Hits |   | | Port |   | | SpeedGuide |                                        
--------   | --------   | --------------

That IP is in the blocked range. Question is, why is your router initiating a connection to that IP? Like what @dave14305 said, you can whitelist if you trust it. Try to restart skynet then update Banmalware.

/tmp/home/root# nslookup 37.120.147.2
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name: 37.120.147.2
Address 1: 37.120.147.2 qon2.potteryjewel.us

 

[Butterfly Bones]

That IP is in the blocked range. Question is, why is your router initiating a connection to that IP? Like what @dave14305 said, you can whitelist if you trust it. Try to restart skynet then update Banmalware.

/tmp/home/root# nslookup 37.120.147.2
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name: 37.120.147.2
Address 1: 37.120.147.2 qon2.potteryjewel.us

I removed the Anonymous DNS relay in Las Vegas to solve it.

anon-cs-usnv
Anonymized DNS relay hosted in US - Las Vegas, NV provided by https://cryptostorm.is/

sdns://gRAzNy4xMjAuMTQ3LjI6NDQz

https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/relays.md
More info.
https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS

Rather than whitellist it, I need to get into the dnscrypt-proxy thread or the github and learn why an anonymous DNS relay is acting up.

 

[Adamm]

Rather than whitellist it, I need to get into the dnscrypt-proxy thread or the github and learn why an anonymous DNS relay is acting up.

I no longer see the entry present on any lists, but the reason for blacklisting I assume is due to it being on the same CIDR range as Cryptostorm's VPN services which someone was probably using to port scan etc.

Also I am unable to whitelist these entries by default due to how they are listed (sdns entries)

 

[Butterfly Bones]

I no longer see the entry present on any lists, but the reason for blacklisting I assume is due to it being on the same CIDR range as Cryptostorm's VPN services which someone was probably using to port scan etc.

Also I am unable to whitelist these entries by default due to how they are listed (sdns entries)

Thank you Adamm. My banmalware ran at 0425 and the blacklist was there, ran again manually about 0725 and it was removed. Changed the anonymous dns proxy back to the Las Vegas, NV, restarted dnscrypt-proxy and all is well.

It is dramatic when a DNS server of any kind, direct or relay, is blocked in Skynet, hundreds of outbound requests per second.

 

[Zastoff]

Can copy/paste SDNS adress (stamps) and get ip/port here
anon-cs-usnv relay server with sdns://gRAzNy4xMjAuMTQ3LjI6NDQz =37.120.147.2:443 if thats helps with whitelisting DNS servers/relays

 

[Butterfly Bones]

Well, something changed again and the outbound blocks came back using the anon-cs-usnv. My primary dns relay works fine and is closer to me, but I wanted a backup, thus the one in NV.

I'm not going to chase this down, I'll use a dns relay that is farther away as a backup.

 

[bluepoint]

Well, something changed again and the outbound blocks came back using the anon-cs-usnv. My primary dns relay works fine and is closer to me, but I wanted a backup, thus the one in NV.

I'm not going to chase this down, I'll use a dns relay that is farther away as a backup.

Yes, something else is going on, the IP is not even in the banmalware blaclkist.

Logging Data Detected in /tmp/mnt/bluestar/skynet/skynet.log - 5.3M
Monitoring From Nov 20 19:00:00 To Nov 25 18:42:17
19854 Block Events Detected
3756 Unique IPs
0 Manual Bans Issued

37.120.147.2 is NOT in set Skynet-Whitelist.
37.120.147.2 is NOT in set Skynet-Blacklist.
37.120.147.2 is NOT in set Skynet-BlockedRanges.


IP Location - United States (M247 Ltd / AS9009)

 

[Butterfly Bones]

Yes, something else is going on, the IP is not even in the banmalware blaclkist.

Yeah, you can say that for certain! With this issue on anonymous dns resolver, I unearthed some code even RMerlin had never seen and did some real sleuth work to find it.
https://www.snbforums.com/threads/b...ta-is-now-available.60037/page-15#post-528196
https://www.snbforums.com/threads/b...ta-is-now-available.60037/page-16#post-528233
I have given up on a secondary anonymous dns relay.

 

[johnathonm]

Seems like your "/jffs/.sys/AiProtectionMonitor/AiProtectionMonitor.db" database exists (AiProtect logs) but is either empty or formatted differently.

I am going to assume the former and say the simple solution would be to delete the file followed by a reboot so it regenerates.

Hi Adamm,

I don’t remember if I replied but I wanted to say thank you and that your solution worked.

I Appreciate the help.

JM

 

[Adamm]

Can copy/paste SDNS adress (stamps) and get ip/port here
anon-cs-usnv relay server with sdns://gRAzNy4xMjAuMTQ3LjI6NDQz =37.120.147.2:443 if thats helps with whitelisting DNS servers/relays

Unless there is a native bash way to convert these stamps unfortunately I won't be able to support them.

 

[Martineau]

Can copy/paste SDNS adress (stamps) and get ip/port here
anon-cs-usnv relay server with sdns://gRAzNy4xMjAuMTQ3LjI6NDQz =37.120.147.2:443 if thats helps with whitelisting DNS servers/relays

THIS=$(echo -e "gRAzNy4xMjAuMTQ3LjI6NDQz" | base64 -d);echo $THIS

 

[Adamm]

THIS=$(echo -e "gRAzNy4xMjAuMTQ3LjI6NDQz" | base64 -d);echo $THIS

Nice find, I didn't realize the stamps were just base64 encoded strings, I assumed it was some propitiatory format. I guess support can be added then

 

[Khadanja]

Getting this entry in log pretty much every few seconds. Can someone explain what is going on?
Nov 30 08:56:24 kernel: [BLOCKED - INBOUND] IN=vlan10 OUT= MAC=18:31:bf:4a:20:e0:80:d4:a5:11:28:c1:08:00:45:00:00:28 SRC=81.22.45.250 DST=My WAN IP LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=58224 PROTO=TCP SPT=52879 DPT=55678 SEQ=239808284 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0

 

[dave14305]

Getting this entry in log pretty much every few seconds. Can someone explain what is going on?
Nov 30 08:56:24 kernel: [BLOCKED - INBOUND] IN=vlan10 OUT= MAC=18:31:bf:4a:20:e0:80:d4:a5:11:28:c1:08:00:45:00:00:28 SRC=81.22.45.250 DST=My WAN IP LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=58224 PROTO=TCP SPT=52879 DPT=55678 SEQ=239808284 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0

Russian hackers are scanning your IP for open ports. skynet is blocking them. No worries.

Run this command for any IP you wonder about in your logs:

firewall stats search ip 81.22.45.250

 

[Khadanja]

Russian hackers are scanning your IP for open ports. skynet is blocking them. No worries.

Run this command for any IP you wonder about in your logs:

firewall stats search ip 81.22.45.250

It’s still going on after so many hours. Will it ever stop? Now it’s coming from different IPs.

 

[Adamm]

It’s still going on after so many hours. Will it ever stop? Now it’s coming from different IPs.

Sounds like Skynet is doing its job correctly

 

[ReDaLeRt]

Hi, @Adamm.

This script is awesome!

BTW, I have multiple IoT devices that I blocked all internet traffic. But raises some issues, regarding the hardcoded NTP server that they have and are not able to reach with this binary setup. Would you be able to add the feature to forward all NTP traffic to a specific LAN IP address, please?

As well for DNS traffic as many devices uses Google 8.8.8.8 DNS server in a hardcoded way, please?

Thanks!

 

[Adamm]

Hi, @Adamm.

This script is awesome!

Thanks

BTW, I have multiple IoT devices that I blocked all internet traffic. But raises some issues, regarding the hardcoded NTP server that they have and are not able to reach with this binary setup. Would you be able to add the feature to forward all NTP traffic to a specific LAN IP address, please?

If you are referring to the IOT blocking feature, we allow port "123" (NTP) by default if no port list is specified in the config.

In reference to forwarding all NTP traffic to a specific LAN address, this functionality is already included in Merlins firmware by forcing all NTP traffic to the local NTP server.

As well for DNS traffic as many devices uses Google 8.8.8.8 DNS server in a hardcoded way, please?

This is also already included in the firmware via the "DNSFilter" feature.