Skynet Skynet - Router Firewall & Security Enhancements

[pirx73]

@pirx73
Did you flash an updated CFE to your RT-AC68U, or is that what it shipped with? Most CFE's I've seen on RT-AC68U's are 1.0.2 or close to it.

Definitely not. I bought it unused from internet shop and never touched CFE. If i would, i would not have a problem telling it here. Why my router has 1.0.3 CFE out of the box i have no idea. Screenshot of my router System Information screen:
https://drive.google.com/open?id=1WXclexDz-5t63_FhUBanwL-FbugDA3Hk

Removed Skynet, did a full reboot of router, reinstalled it back and it's working now. I will monitor it for a while.

 

[heysoundude]

I just installed Skynet a few days ago, and it's quite clear after a weekend of abuse by people in the house trying to stream netflix and use our kodi box that I've some learnin' up do do.
I suspect it's easier than I believe at this moment, and that it will be brilliant when I've made a space for it in my middle-aged nugget...
maybe some Obi-Wan Kenobi has posted some Jedi apprentice-level training for me here so I don't have to go all the way to the Dagobah system.

 

[L&LD]

@heysoundude what 'training' do you need for Skynet? Enable it and be protected.

-Not 'Obi-Wan Kenobi' but I can feel the force that @Adamm exerts on the bad guys! Actually, I just read it in the stats.

 

[heysoundude]

Netflix is a saviour around here, and he’s getting blocked or something (but only on the kodi box) since skynet started getting used, and same for the addons we use to stream other things. I’m sure I’m no unicorn in this regard - I just don’t know enough about config and troubleshooting it.

 

[Adamm]

Netflix is a saviour around here, and he’s getting blocked or something (but only on the kodi box) since skynet started getting used, and same for the addons we use to stream other things. I’m sure I’m no unicorn in this regard - I just don’t know enough about config and troubleshooting it.

As per the readme and second post of this thread;

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and whitelist) anything incorrectly on your Blacklist!

1.) Enable Logging

sh /jffs/scripts/firewall settings logmode enable

2.) Open the blocked application/website and use the command;

sh /jffs/scripts/firewall debug watch

Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;

DST=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault. If its related to a domain additional "Associated Domain" information should be printed beneath the log.

https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

sh /jffs/scripts/firewall whitelist ip 175.115.37.52

 

[heysoundude]

That’s another thing @Adamm - making the mental connections between terminal and Merlin GUI.
I’ll sort it out once I can focus on it tomorrow...
Thanks for responding. [emoji1303][emoji1303][emoji1308]


Sent from my iPhone using Tapatalk

 

[heysoundude]

what does "Element cannot be added to the set: it's already added" mean when whitelisting something? Shouldn't we be whitelisting SOURCES rather than destinations?

Also - is it worthwhile "reporting" to the abuse contacts in the WhoIs of the offending IPs that somehow they're hammering me?

 

[Adamm]

what does "Element cannot be added to the set: it's already added" mean when whitelisting something? Shouldn't we be whitelisting SOURCES rather than destinations?

Skynet works by whitelisting remote addresses

 

[heysoundude]

I must have something backwards in my brain...alienvault has the DST IP in question as my ISP...they seem to be doing what I pay them for, and so is Skynet when it comes to SRC IPs so far from what I have checked out...
Maybe there’s a problem with the Netflix addon coding, or something it relies on.

Should I be paying more attention to what ports are getting probed/blocked?

Sent from my iPhone using Tapatalk

 

[Adamm]

I must have something backwards in my brain...alienvault has the DST IP in question as my ISP...they seem to be doing what I pay them for, and so is Skynet when it comes to SRC IPs so far from what I have checked out...
Maybe there’s a problem with the Netflix addon coding, or something it relies on.

Should I be paying more attention to what ports are getting probed/blocked?

Sent from my iPhone using Tapatalk

The logs work like this, if its an inbound block, your IP will be the dst. If its an outbound block, your IP is the src.

 

[heysoundude]

The logs work like this, if its an inbound block, your IP will be the dst. If its an outbound block, your IP is the src.

Yes, I'm getting floods of Inbound blocks, and the topmost blocked device is my HTPC/kodi machine.
is it trying to "phone home" for some reason? The top IP is in NL, and I believe the dev of my setup (xbian) is in that neck of the woods...

 

[AntonK]

Hi,
So what happens when the log file gets to 10MB? Does it reset to 0 and start over? How does Skynet handle that? Is there something the user has to do, like reset the statistics and empty the log file? How does Skynet keep its stats relevant once the 10MB limit has been reached?

Thanks,
Anton

 

[Butterfly Bones]

Hi,
So what happens when the log file gets to 10MB? Does it reset to 0 and start over? How does Skynet handle that? Is there something the user has to do, like reset the statistics and empty the log file? How does Skynet keep its stats relevant once the 10MB limit has been reached?

Thanks,
Anton

I'm going to try to save Adamm answering this again.
https://www.snbforums.com/threads/r...urity-enhancements.16798/page-334#post-563779
https://www.snbforums.com/threads/r...urity-enhancements.16798/page-311#post-552454
https://www.snbforums.com/threads/r...urity-enhancements.16798/page-128#post-403366
https://www.snbforums.com/threads/r...urity-enhancements.16798/page-128#post-403384

 

[AntonK]

I'm going to try to save Adamm answering this again.
https://www.snbforums.com/threads/r...urity-enhancements.16798/page-334#post-563779
https://www.snbforums.com/threads/r...urity-enhancements.16798/page-311#post-552454
https://www.snbforums.com/threads/r...urity-enhancements.16798/page-128#post-403366
https://www.snbforums.com/threads/r...urity-enhancements.16798/page-128#post-403384

Thanks!
Anton

 

[TheLyppardMan]

I'm not sure what benefits Skynet brings over the original setup and is my router/network potentially less secure if I don't have it installed?

 

[dave14305]

I'm not sure what benefits Skynet brings over the original setup and is my router/network potentially less secure if I don't have it installed?

Even with AiProtection enabled, your router may not block all outbound traffic to known bad guys. Skynet will do this. If you open external ports on your router for any purpose (gaming, remote access, openVPN), you are creating opportunities for hackers to pound away at those open ports. Skynet will block these attempt from known bad people.

 

[Ubimo]

I'm using these ipsets/lists:

Spoiler

https://iplists.firehol.org/files/alienvault_reputation.ipset
https://iplists.firehol.org/files/bds_atif.ipset
https://iplists.firehol.org/files/bi_any_2_30d.ipset
https://iplists.firehol.org/files/blocklist_net_ua.ipset
https://iplists.firehol.org/files/cybercrime.ipset
https://iplists.firehol.org/files/dyndns_ponmocup.ipset
https://iplists.firehol.org/files/et_block.netset
https://iplists.firehol.org/files/et_compromised.ipset
https://iplists.firehol.org/files/firehol_level2.netset
https://iplists.firehol.org/files/firehol_level3.netset
https://iplists.firehol.org/files/normshield_high_attack.ipset
https://iplists.firehol.org/files/normshield_high_bruteforce.ipset
https://iplists.firehol.org/files/spamhaus_edrop.netset
https://iplists.firehol.org/files/urlvir.ipset
https://iplists.firehol.org/files/bi_sshd_2_30d.ipset
https://iplists.firehol.org/files/coinbl_ips.ipset
https://iplists.firehol.org/files/ransomware_online.ipset
https://iplists.firehol.org/files/ransomware_rw.ipset
https://iplists.firehol.org/files/urandomusto_ssh.ipset
https://iplists.firehol.org/files/urandomusto_telnet.ipset
https://iplists.firehol.org/files/uscert_hidden_cobra.ipset
https://iplists.firehol.org/files/firehol_level1.netset
https://iplists.firehol.org/files/feodo.ipset
https://iplists.firehol.org/files/bambenek_c2.ipset
https://iplists.firehol.org/files/spamhaus_drop.netset
https://iplists.firehol.org/files/malwaredomainlist.ipset
https://iplists.firehol.org/files/maxmind_proxy_fraud.ipset
https://iplists.firehol.org/files/ransomware_online.ipset
https://iplists.firehol.org/files/ransomware_rw.ipset
https://iplists.firehol.org/files/et_botcc.ipset
https://iplists.firehol.org/files/blocklist_de_bots.ipset
https://iplists.firehol.org/files/blocklist_de_ssh.ipset
https://iplists.firehol.org/files/blocklist_de_strongips.ipset
https://iplists.firehol.org/files/taichung.ipset
https://iplists.firehol.org/files/coinbl_hosts_browser.ipset
https://hosts.ubuntu101.co.za/ips.list
https://hosts.ubuntu101.co.za/domains.list
https://raw.githubusercontent.com/m...-Malware-Web-Sites/master/hacked-domains.list
https://raw.githubusercontent.com/m...er/master/_generator_lists/bad-referrers.list

That are ~330.000 blocked IPs and 2100 Ranges getting blocked.
Is this good? Bad? Stupid?
Why?

Edit:
Can I see, if any of these additional lists actually blocked some IPs?

 

[Olivier L]

What is Fast Switch List option ?

 

[hervon]

Did you the forums ?

https://www.snbforums.com/threads/r...firewall-security-enhancements.16798/page-170

 

[Ubimo]

I see Adamm just updated Skynet and removed the +hosts?
After updating Skynet, do we have to update anything else? (ban malwarelist, etc.)