What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hello
Can you explain me

122.228.19.79 is in set Skynet-Whitelist.
122.228.19.79 is in set Skynet-Blacklist.
122.228.19.79 is in set Skynet-BlockedRanges.
Whitelist Reason;
122.228.19.79 "Private IP"
Blacklist Reason;
"BanMalware: normshield_high_attack.ipset"
BlockedRanges Reason;
122.228.19.0/24 "BanMalware: firehol_level3.netset"

?

I do not understand why that IP is in Whitelist ??? A bit surprised to see an IP white/black listed at the same time.

I will ban it manually because it tried to connect my @home VPN server.

Thanks
 
Hello
Can you explain me

122.228.19.79 is in set Skynet-Whitelist.
122.228.19.79 is in set Skynet-Blacklist.
122.228.19.79 is in set Skynet-BlockedRanges.
Whitelist Reason;
122.228.19.79 "Private IP"
Blacklist Reason;
"BanMalware: normshield_high_attack.ipset"
BlockedRanges Reason;
122.228.19.0/24 "BanMalware: firehol_level3.netset"

?

I do not understand why that IP is in Whitelist ??? A bit surprised to see an IP white/black listed at the same time.

I will ban it manually because it tried to connect my @home VPN server.

Thanks
There is no valid explanation for it to be in the Whitelist. Get it out of there immediately.

How likely is it that your router has been compromised and the attacker knows how to hack something as specific as Skynet? Thinking not likely.
 
Hello
Can you explain me

122.228.19.79 is in set Skynet-Whitelist.
122.228.19.79 is in set Skynet-Blacklist.
122.228.19.79 is in set Skynet-BlockedRanges.
Whitelist Reason;
122.228.19.79 "Private IP"
Blacklist Reason;
"BanMalware: normshield_high_attack.ipset"
BlockedRanges Reason;
122.228.19.0/24 "BanMalware: firehol_level3.netset"

?

I do not understand why that IP is in Whitelist ??? A bit surprised to see an IP white/black listed at the same time.

I will ban it manually because it tried to connect my @home VPN server.

Thanks
It somehow picked it up as a private IP in the Unban_PrivateIP function. You should review your block logs to understand how that happened, or post them if you want.

https://github.com/Adamm00/IPSet_ASUS/blob/master/firewall.sh#L779
 
Hello
Can you explain me

122.228.19.79 is in set Skynet-Whitelist.
122.228.19.79 is in set Skynet-Blacklist.
122.228.19.79 is in set Skynet-BlockedRanges.
Whitelist Reason;
122.228.19.79 "Private IP"
Blacklist Reason;
"BanMalware: normshield_high_attack.ipset"
BlockedRanges Reason;
122.228.19.0/24 "BanMalware: firehol_level3.netset"

?

I do not understand why that IP is in Whitelist ??? A bit surprised to see an IP white/black listed at the same time.

I will ban it manually because it tried to connect my @home VPN server.

Thanks
It somehow picked it up as a private IP in the Unban_PrivateIP function. You should review your block logs to understand how that happened, or post them if you want.

https://github.com/Adamm00/IPSet_ASUS/blob/master/firewall.sh#L779

My private IP regex must be slightly inaccurate, I’ll have to check it when I get home.
 
public. Connected to an ISP box in its DMZ.

Can you please post the output of;

Code:
sh /jffs/scripts/firewall stats search ip 122.228.19.79

Not quite sure how it ended up on the Private IP list as it doesn't match the regex so I will need to see the log entries.
 
Can you please post the output of;

Code:
sh /jffs/scripts/firewall stats search ip 122.228.19.79

Not quite sure how it ended up on the Private IP list as it doesn't match the regex so I will need to see the log entries.


Logging Data Detected in /tmp/mnt/cleusb/skynet/skynet.log - 412.0K
Monitoring From Mar 5 05:00:08 To Mar 5 12:08:09
1400 Block Events Detected
516 Unique IPs
0 Manual Bans Issued
122.228.19.79 is NOT in set Skynet-Whitelist.
122.228.19.79 is in set Skynet-Blacklist.
122.228.19.79 is in set Skynet-BlockedRanges.
Blacklist Reason;
"BanMalware: normshield_high_attack.ipset"
BlockedRanges Reason;
122.228.19.0/24 "BanMalware: firehol_level3.netset"
IP Location - China (WENZHOU, ZHEJIANG Province, P.R.China. / AS134771)
122.228.19.79 First Tracked On Mar 5 05:19:41
122.228.19.79 Last Tracked On Mar 5 11:54:27
7 Blocks Total
Event Log Entries From 122.228.19.79;
First Block Tracked From 122.228.19.79;
Mar 5 05:19:41 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=13466 PROTO=TCP SPT=42816
10 Most Recent Blocks From 122.228.19.79;
Mar 5 05:19:41 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=13466 PROTO=TCP SPT=42816
Mar 5 05:40:50 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=4563 PROTO=TCP SPT=56476
Mar 5 06:42:43 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=114 ID=14977 PROTO=UDP SPT=7266
Mar 5 08:38:02 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=89 TOS=0x00 PREC=0x00 TTL=114 ID=10329 PROTO=UDP SPT=61332
Mar 5 09:17:01 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=13652 PROTO=TCP SPT=55631
Mar 5 10:54:44 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=25696 PROTO=TCP SPT=50282
Mar 5 11:54:27 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=17013 PROTO=TCP SPT=13930
Top 10 Targeted Ports From 122.228.19.79 (Inbound);
-------- | -------- | --------------
| Hits | | | Port | | | SpeedGuide |
-------- | -------- | --------------
1x | 7779 | https://www.speedguide.net/port.php?port=7779
1x | 7474 | https://www.speedguide.net/port.php?port=7474
1x | 5432 | https://www.speedguide.net/port.php?port=5432
1x | 502 | https://www.speedguide.net/port.php?port=502
1x | 4500 | https://www.speedguide.net/port.php?port=4500
1x | 2638 | https://www.speedguide.net/port.php?port=2638
1x | 1911 | https://www.speedguide.net/port.php?port=1911
Top 10 Sourced Ports From 122.228.19.79 (Inbound);
-------- | -------- | --------------
| Hits | | | Port | | | SpeedGuide |
-------- | -------- | --------------
1x | 7266 | https://www.speedguide.net/port.php?port=7266
1x | 61332 | https://www.speedguide.net/port.php?port=61332
1x | 56476 | https://www.speedguide.net/port.php?port=56476
1x | 55631 | https://www.speedguide.net/port.php?port=55631
1x | 50282 | https://www.speedguide.net/port.php?port=50282
1x | 42816 | https://www.speedguide.net/port.php?port=42816
1x | 13930 | https://www.speedguide.net/port.php?port=13930
=============================================================================================================
[#] 154517 IPs (+0) -- 1907 Ranges Banned (+0) || 1401 Inbound -- 0 Outbound Connections Blocked! [stats] [3s]
 
Logging Data Detected in /tmp/mnt/cleusb/skynet/skynet.log - 412.0K
Monitoring From Mar 5 05:00:08 To Mar 5 12:08:09
1400 Block Events Detected
516 Unique IPs
0 Manual Bans Issued
122.228.19.79 is NOT in set Skynet-Whitelist.
122.228.19.79 is in set Skynet-Blacklist.
122.228.19.79 is in set Skynet-BlockedRanges.
Blacklist Reason;
"BanMalware: normshield_high_attack.ipset"
BlockedRanges Reason;
122.228.19.0/24 "BanMalware: firehol_level3.netset"
IP Location - China (WENZHOU, ZHEJIANG Province, P.R.China. / AS134771)
122.228.19.79 First Tracked On Mar 5 05:19:41
122.228.19.79 Last Tracked On Mar 5 11:54:27
7 Blocks Total
Event Log Entries From 122.228.19.79;
First Block Tracked From 122.228.19.79;
Mar 5 05:19:41 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=13466 PROTO=TCP SPT=42816
10 Most Recent Blocks From 122.228.19.79;
Mar 5 05:19:41 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=13466 PROTO=TCP SPT=42816
Mar 5 05:40:50 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=4563 PROTO=TCP SPT=56476
Mar 5 06:42:43 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=114 ID=14977 PROTO=UDP SPT=7266
Mar 5 08:38:02 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=89 TOS=0x00 PREC=0x00 TTL=114 ID=10329 PROTO=UDP SPT=61332
Mar 5 09:17:01 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=13652 PROTO=TCP SPT=55631
Mar 5 10:54:44 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=25696 PROTO=TCP SPT=50282
Mar 5 11:54:27 RT-AX88U kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:03:ed:e8:00:24:d4:a4:32:51:08:00 SRC=122.228.19.79 DST=192.168.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=17013 PROTO=TCP SPT=13930
Top 10 Targeted Ports From 122.228.19.79 (Inbound);
-------- | -------- | --------------
| Hits | | | Port | | | SpeedGuide |
-------- | -------- | --------------
1x | 7779 | https://www.speedguide.net/port.php?port=7779
1x | 7474 | https://www.speedguide.net/port.php?port=7474
1x | 5432 | https://www.speedguide.net/port.php?port=5432
1x | 502 | https://www.speedguide.net/port.php?port=502
1x | 4500 | https://www.speedguide.net/port.php?port=4500
1x | 2638 | https://www.speedguide.net/port.php?port=2638
1x | 1911 | https://www.speedguide.net/port.php?port=1911
Top 10 Sourced Ports From 122.228.19.79 (Inbound);
-------- | -------- | --------------
| Hits | | | Port | | | SpeedGuide |
-------- | -------- | --------------
1x | 7266 | https://www.speedguide.net/port.php?port=7266
1x | 61332 | https://www.speedguide.net/port.php?port=61332
1x | 56476 | https://www.speedguide.net/port.php?port=56476
1x | 55631 | https://www.speedguide.net/port.php?port=55631
1x | 50282 | https://www.speedguide.net/port.php?port=50282
1x | 42816 | https://www.speedguide.net/port.php?port=42816
1x | 13930 | https://www.speedguide.net/port.php?port=13930
=============================================================================================================
[#] 154517 IPs (+0) -- 1907 Ranges Banned (+0) || 1401 Inbound -- 0 Outbound Connections Blocked! [stats] [3s]


Unfortunately it looks like your logs were purged 7 hours prior to your most recent post so we won't be able to identify the exact entry which caused the automatic whitelisting. In any case I double checked the function to make sure it works correctly and everything seems copacetic on my end, so if it happens again let me know and we can work from there.
 
  • Like
Reactions: a5m
I've got Skynet running for a couple weeks now. Currently I have it configured to only block incoming traffic from china.
In trying to troubleshoot (a hopefully unrelated) issue this morning, I took a look at my syslog.log.
My log file was just under 1100 lines long but only went back less than 10 minutes prior to the time I looked at it.
I haven't researched yet what is normal for Merlin in terms of length/size of syslog, but clearly I had hoped to see more than 10 minutes of logs.
99.9% of the entries are "kernel: [BLOCKED - INBOUND]" entries, many from the same IPs. For instance I have within 2 minutes of each other, 34 entries like:

Code:
SRC=221.215.211.119 DST=68.13.250.141 LEN=129 TOS=0x00 PREC=0x00 TTL=115 ID=30482 PROTO=UDP SPT=11553 DPT=54321 LEN=109

Only thing that differs is the ID field between them.

Is there some better way to handle these log entries? I assume they are required for reporting (?), which I do want, but they seem to be taking up my entire syslog forcing out other data which may be useful.

thanks
 
Unfortunately it looks like your logs were purged 7 hours prior to your most recent post so we won't be able to identify the exact entry which caused the automatic whitelisting. In any case I double checked the function to make sure it works correctly and everything seems copacetic on my end, so if it happens again let me know and we can work from there.
Just found another tentative

Logging Data Detected in /tmp/mnt/cleusb/skynet/skynet.log - 592.0K
Monitoring From Mar 5 05:00:08 To Mar 5 15:37:41
2018 Block Events Detected
673 Unique IPs
0 Manual Bans Issued
223.71.167.164 is in set Skynet-Whitelist.
223.71.167.164 is in set Skynet-Blacklist.
223.71.167.164 is in set Skynet-BlockedRanges.
Whitelist Reason;
223.71.167.164 "PrivateIP"
Blacklist Reason;
"BanMalware: bds_atif.ipset"
BlockedRanges Reason;
223.71.167.0/24 "BanMalware: firehol_level3.netset"


!!!

EDIT: I checked my whitelist. I have two with comment PRivate IP
223.71.167.164 comment "PrivateIP"
196.62.84.56 comment "PrivateIP"
 
Last edited:
I've got Skynet running for a couple weeks now. Currently I have it configured to only block incoming traffic from china.
In trying to troubleshoot (a hopefully unrelated) issue this morning, I took a look at my syslog.log.
My log file was just under 1100 lines long but only went back less than 10 minutes prior to the time I looked at it.
I haven't researched yet what is normal for Merlin in terms of length/size of syslog, but clearly I had hoped to see more than 10 minutes of logs.
99.9% of the entries are "kernel: [BLOCKED - INBOUND]" entries, many from the same IPs. For instance I have within 2 minutes of each other, 34 entries like:

Code:
SRC=221.215.211.119 DST=68.13.250.141 LEN=129 TOS=0x00 PREC=0x00 TTL=115 ID=30482 PROTO=UDP SPT=11553 DPT=54321 LEN=109

Only thing that differs is the ID field between them.

Is there some better way to handle these log entries? I assume they are required for reporting (?), which I do want, but they seem to be taking up my entire syslog forcing out other data which may be useful.

thanks
Look into installing scribe and uiScribe, both of which are available within amtm.
 
I've got Skynet running for a couple weeks now. Currently I have it configured to only block incoming traffic from china.
In trying to troubleshoot (a hopefully unrelated) issue this morning, I took a look at my syslog.log.
My log file was just under 1100 lines long but only went back less than 10 minutes prior to the time I looked at it.
I haven't researched yet what is normal for Merlin in terms of length/size of syslog, but clearly I had hoped to see more than 10 minutes of logs.
99.9% of the entries are "kernel: [BLOCKED - INBOUND]" entries, many from the same IPs. For instance I have within 2 minutes of each other, 34 entries like:

Code:
SRC=221.215.211.119 DST=68.13.250.141 LEN=129 TOS=0x00 PREC=0x00 TTL=115 ID=30482 PROTO=UDP SPT=11553 DPT=54321 LEN=109

Only thing that differs is the ID field between them.

Is there some better way to handle these log entries? I assume they are required for reporting (?), which I do want, but they seem to be taking up my entire syslog forcing out other data which may be useful.

thanks

Every time a Skynet command is run (or at the start of every hour) the syslog is purged to its own log file. These logs are then kept until the file reaches 10MB. You can use the various stat commands to navigate these logs or manually view the skynet.log in Skynets install directory.

Just found another tentative

Logging Data Detected in /tmp/mnt/cleusb/skynet/skynet.log - 592.0K
Monitoring From Mar 5 05:00:08 To Mar 5 15:37:41
2018 Block Events Detected
673 Unique IPs
0 Manual Bans Issued
223.71.167.164 is in set Skynet-Whitelist.
223.71.167.164 is in set Skynet-Blacklist.
223.71.167.164 is in set Skynet-BlockedRanges.
Whitelist Reason;
223.71.167.164 "PrivateIP"
Blacklist Reason;
"BanMalware: bds_atif.ipset"
BlockedRanges Reason;
223.71.167.0/24 "BanMalware: firehol_level3.netset"


!!!

EDIT: I checked my whitelist. I have two with comment PRivate IP
223.71.167.164 comment "PrivateIP"
196.62.84.56 comment "PrivateIP"


It will most likely be the same situation as your log file is freshly purged. Update to the latest Skynet version (I just pushed a hotfix) then let me know the next time there is a new one.
 
Every time a Skynet command is run (or at the start of every hour) the syslog is purged to its own log file. These logs are then kept until the file reaches 10MB. You can use the various stat commands to navigate these logs or manually view the skynet.log in Skynets install directory.

Can you clarify what you mean by the "syslog is purged to its own log file"? Do you mean the contents of syslog.log get purged into skynet.log or some other location? Is the reason for this obtuse behavior because skynet requires logs of a smaller size in order to run statistics?
Is there a way to run skynet but not have it alter the standard behavior of syslog? I'm curious if the contents of syslog are being copied to another file, which presumably is then being parsed by skynet (?)- what the purpose of purging the syslog instead of allowing to operate under normal behavior? I suppose it is easier to do a copy and delete of syslog rather than intelligently parsing out all data since the last time stamp recorded into skynet's logs?
 
Can you clarify what you mean by the "syslog is purged to its own log file"? Do you mean the contents of syslog.log get purged into skynet.log or some other location? Is the reason for this obtuse behavior because skynet requires logs of a smaller size in order to run statistics?

Skynet related entries are removed from syslog and put into their own log file. This is for multiple reasons, first being that the default syslog only stores an arbitrary amount of entries before all data is nuked. Secondly we then use this data to generate stats over a period of time (10MB ends up being roughly a weeks worth). Then finally then we don't hog the syslog with our noisy output.

Is there a way to run skynet but not have it alter the standard behavior of syslog? I'm curious if the contents of syslog are being copied to another file, which presumably is then being parsed by skynet (?)- what the purpose of purging the syslog instead of allowing to operate under normal behavior? I suppose it is easier to do a copy and delete of syslog rather than intelligently parsing out all data since the last time stamp recorded into skynet's logs?

The syslog binary included in busybox is significantly stripped down, so we have to purge the data manually rather then initially direct these select entries to their own file.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top