Skynet What are some good current block lists? - Skynet

[Marcus Yansen]

I believe:

filter.list = not aggregated
myfilter.list = aggregated

My limited understanding would be if going with one of those, go with aggregated.

thank you so much!

 

[Ubimo]

I'm using @SomeWhereOverTheRainBow 's custom filterlist.
Yesterday I noticed a huge drop in blocked IPs going down from ~600.000 to now ~297.000.
Also, some sources failed to fetch:

Spoiler

Custom Filter Detected: https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/filter.list
Downloading filter.list | [0s]
Refreshing Whitelists | [10s]
Start Blacklist Consolidation |
[✘] Failed to fetch: https://darklist.de/raw.php
[✔] Downloaded https://feodotracker.abuse.ch/downloads/ipblocklist.txt
[✘] Failed to fetch: https://myip.ms/files/blacklist/general/latest_blacklist.txt
[✔] Downloaded https://iplists.firehol.org/files/spamhaus_drop.netset
[✔] Downloaded https://iplists.firehol.org/files/dyndns_ponmocup.ipset
[✔] Downloaded https://iplists.firehol.org/files/dshield.netset
[✔] Downloaded https://iplists.firehol.org/files/iblocklist_spamhaus_drop.netset
[✔] Downloaded https://blocklist.greensnow.co/greensnow.txt
[✔] Downloaded https://lists.blocklist.de/lists/strongips.txt
[✔] Downloaded https://iplists.firehol.org/files/firehol_level1.netset
[✔] Downloaded https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst
[✔] Downloaded https://iplists.firehol.org/files/bi_any_2_30d.ipset
[✔] Downloaded https://iplists.firehol.org/files/cybercrime.ipset
[✔] Downloaded https://iplists.firehol.org/files/malc0de.ipset
[✔] Downloaded https://iplists.firehol.org/files/greensnow.ipset
[✔] Downloaded https://iplists.firehol.org/files/alienvault_reputation.ipset
[✔] Downloaded https://iplists.firehol.org/files/et_block.netset
[✔] Downloaded https://iplists.firehol.org/files/et_compromised.ipset
[✔] Downloaded https://iplists.firehol.org/files/spamhaus_edrop.netset
[✔] Downloaded https://iplists.firehol.org/files/normshield_high_attack.ipset
[✔] Downloaded https://iplists.firehol.org/files/myip.ipset
[✔] Downloaded https://iplists.firehol.org/files/normshield_high_bruteforce.ipset
[✔] Downloaded https://iplists.firehol.org/files/dshield_1d.netset
[✔] Downloaded https://iplists.firehol.org/files/coinbl_hosts_browser.ipset
[✔] Downloaded https://iplists.firehol.org/files/et_spamhaus.netset
[✔] Downloaded https://iplists.firehol.org/files/iblocklist_pedophiles.netset
[✔] Downloaded https://iplists.firehol.org/files/ciarmy.ipset
[✔] Downloaded https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/IPlist.list
[✔] Downloaded https://iplists.firehol.org/files/urlvir.ipset
[✔] Downloaded https://iplists.firehol.org/files/bds_atif.ipset
[✔] Downloaded https://iplists.firehol.org/files/iblocklist_ciarmy_malicious.netset
[✔] Downloaded https://iplists.firehol.org/files/firehol_level2.netset
[✔] Downloaded https://iplists.firehol.org/files/blocklist_net_ua.ipset
[✔] Downloaded https://www.blocklist.de/downloads/export-ips_all.txt
[✔] Downloaded https://raw.githubusercontent.com/stamparm/ipsum/master/levels/1.txt
[✔] Downloaded https://iplists.firehol.org/files/firehol_level3.netset
[✔] Downloaded https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
[✘] Failed to fetch: https://www.talosintelligence.com/documents/ip-blacklist
[✔] Downloaded https://sigs.interserver.net/iprbl.txt
[✔] Downloaded https://voipbl.org/update
Finish Blacklist Consolidation | [36s]
Applying New Blacklist | [6s]
Refreshing AiProtect Bans | [0s]
Saving Changes | [2s]

 

[Jack-Sparr0w]

/usr/sbin/curl -s "https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/08d0c3e47a96d843dba8e33101b6644eb8205cee/firewall.sh" -o "/jffs/scripts/firewall" && chmod 755 /jffs/scripts/firewall && sh /jffs/scripts/firewall install

 

[Jack-Sparr0w]

install at ssh login root and you can use this version. its older but very reliable on big lists

This is my firewall if you care to take a look

https://raw.githubusercontent.com/Jack-Sparr0w-2o4/Gatekeeper-Unbound/refs/heads/main/Filterlist

 

[Jack-Sparr0w]

uninstall Skynet before entering code if Skynet is already installed

 

[Tech9]

This is my firewall

This is not a firewall... you have to stop this nonsense.

 

[Jack-Sparr0w]

If you need to find 404 errors on your custom Firewall list here is a website that will interest you

Atomseo Bulk URL Checker | Batch Link Checker for 404 Errors

Use Atomseo's bulk URL checker to identify 404 errors and other statuses. Check up to 1500 links for free. Upload your links or file for easy batch checking

error404.atomseo.com

 

[Jack-Sparr0w]

Skynet for AsusWRT-Merlin is an advanced IP-based firewall enhancement that extends the built-in firewall capabilities of ASUS routers running Merlin firmware. It operates on iptables and uses dynamic IP sets to block malicious traffic based on threat intelligence from sources like Alienvault, FireHOL, and others (IP-based firewall)

 

[Jack-Sparr0w]

Everything that is needed to know is right here including older versions of Skynet

GitHub - Adamm00/IPSet_ASUS: Skynet - Advanced IP Blocking For ASUS Routers Using IPSet.

Skynet - Advanced IP Blocking For ASUS Routers Using IPSet. - Adamm00/IPSet_ASUS

github.com

 

[Jack-Sparr0w]

If you need a domains ip use this to add to your list this helps with finding addresses to websites so that Skynet can block it

Autonomous System Lookup (AS / ASN / IP) | HackerTarget.com

Lookup IPv4 / IPv6 address to AS or ASN to IP ranges. Quickly find the Autonomous System owner using the online tool and the Free API.

hackertarget.com

 

[Ripshod]

@Tech9 it's pointless. You're arguing with the person whose own blocklist blocked half the world's speedtest servers.
TBH I'm surprised not to see them peddling it here

 

[Jack-Sparr0w]

Using a big blocklist means you must use whitelist feature in Skynet.

 

[Tech9]

IP-based firewall

No. IP-based firewall enhancement. The firewall itself is part of Asuswrt. You can't even read the information properly. Skynet is an IP-blocker and IMO useless for anything else than self-limiting.

 

[Jack-Sparr0w]

For ddos mitigations I use this website

https://radar.cloudflare.com/security/application-layer

pick your city and see what is the culprit, I mean I block the whole ASN if its known for this type of attack. It is a very harsh way of blocking but it works. just look into ASN and see if you need that service. last one I blocked was a French luxury handbag company. I don't think I would be going to that website anytime soon so I just block the ASN if it is know for attacks and has highest percentage overall of doing this attack. To teach there own though. you will just have to do the research and see if this is good for you.

 

[Skillz]

Here is a fully aggregated list, to each their own, but it blocks alot. https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/myfilter.list , I would consider my aggregated list heavily aggressive, and if you are looking for less aggressive @Viktor Jaep may be better if it can be shrunk to an aggregated form.

@SomeWhereOverTheRainBow Hi, I've been using your list with currently Skynet 8.0.9, but I've been running into an issue I'm unable to solve.

I'm running a Jellyfin server and when I try to look up alternative show/movie images, skynet is blocking it with your list. When I reset the skynet list back to the default list, it works. The specific url that's being blocked is: tmdb-image-prod.b-cdn.net.

It's impossible to allow every ip from the cdn and the ip seems to (almost) change on every lookup... In skynet settings CDN Whitelisting is set to enabled.

Is there anything I (or you?) can do to allow all the ip's behind tmdb-image-prod.b-cdn.net?

 

[SomeWhereOverTheRainBow]

@SomeWhereOverTheRainBow Hi, I've been using your list with currently Skynet 8.0.9, but I've been running into an issue I'm unable to solve.

I'm running a Jellyfin server and when I try to look up alternative show/movie images, skynet is blocking it with your list. When I reset the skynet list back to the default list, it works. The specific url that's being blocked is: tmdb-image-prod.b-cdn.net.

It's impossible to allow every ip from the cdn and the ip seems to (almost) change on every lookup... In skynet settings CDN Whitelisting is set to enabled.

Is there anything I (or you?) can do to allow all the ip's behind tmdb-image-prod.b-cdn.net?

This comment is key here:

It's impossible to allow every ip from the cdn and the ip seems to (almost) change on every lookup...

It may be impossible to be sure that the IP I would be allowlisting would match the IP that is being blocked by your skynet. The only way to be absolutely sure to allowlist something like tmdb-image-prod.b-cdn.net I would recommend allowlisting the ASN the domain originates from -- AS49434 a.k.a BUNNYCDN or AS200325. You can allowlist an entire ASN using the instructions provided by skynets github. You may also want to consider allowlisting ASN associated with Datacamp AS60068 and AS212238. The domain also has ties to this network. The IP addresses used maybe from any one of these three ASN depending on a number of factors including requester geographic location.

Here is two examples of what I mean A and AAAA queries:

curl "https://api.hackertarget.com/aslookup/?q=$(dig tmdb-image-prod.b-cdn.net A +short)&output=json&details=true" | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   370  100   370    0     0    559      0 --:--:-- --:--:-- --:--:--   561
{
  "asn": "60068",
  "asn_name": "CDN77 _, GB",
  "asn_range": "152.233.22.0/23",
  "description": "Datacamp Limited is a company in the technology industry that provides online educational courses and resources focused on data science, software development, and other tech-related fields.",
  "domain": "datacamp.co.uk",
  "ip": "152.233.22.97",
  "organization": "Datacamp Limited"
}

curl "https://api.hackertarget.com/aslookup/?q=$(dig tmdb-image-prod.b-cdn.net AAAA +short)&output=json&details=true" | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   393  100   393    0     0    658      0 --:--:-- --:--:-- --:--:--   658
{
  "asn": "200325",
  "asn_name": "BUNNYCDN, SI",
  "asn_range": "2400:52e0:1a02::/48",
  "description": "BUNNYWAY, informacijske storitve d.o.o. is a Slovenian company providing information technology services, including cloud computing and content delivery network (CDN) solutions.",
  "domain": "bunnycdn.com",
  "ip": "2400:52E0:1A02::876:1",
  "organization": "BUNNYWAY, informacijske storitve d.o.o."
}

Here is code to do what you need to do.

for i in AS49434 AS60068 AS200325 AS212238; do firewall whitelist asn "$i"; done

 

[Skillz]

@SomeWhereOverTheRainBow Thank you so much for your extensive and informative answer.
I was aware of the ASN option, but had no knowledge on how to query them.

I did get a different ASN (212238) from my A query and have only added this so far to the whitelist as I'm not using ipv6 (for now...still).

Seems to be working for now, but will add additional ones if needed.

 

[SomeWhereOverTheRainBow]

@SomeWhereOverTheRainBow Thank you so much for your extensive and informative answer.
I was aware of the ASN option, but had no knowledge on how to query them.

I did get a different ASN (212238) from my A query and have only added this so far to the whitelist as I'm not using ipv6 (for now...still).

Seems to be working for now, but will add additional ones if needed.

If you run into problems later it is likely the server has switched to an IP in one of the other ASN in the list above. I only showed the ipv6 to show that it even uses those ASN to get an ipv6 address. And it can use a different ASN for each address at any given point in time. Just make sure you allow list the appropriate ASN's you should see less issues.

 

[SomeWhereOverTheRainBow]

@SomeWhereOverTheRainBow Hi, I've been using your list with currently Skynet 8.0.9, but I've been running into an issue I'm unable to solve.

I'm running a Jellyfin server and when I try to look up alternative show/movie images, skynet is blocking it with your list. When I reset the skynet list back to the default list, it works. The specific url that's being blocked is: tmdb-image-prod.b-cdn.net.

It's impossible to allow every ip from the cdn and the ip seems to (almost) change on every lookup... In skynet settings CDN Whitelisting is set to enabled.

Is there anything I (or you?) can do to allow all the ip's behind tmdb-image-prod.b-cdn.net?

Well i know you mentioned the default list not having this problem, but i would recommend @Adamm considering adding the above mentioned ASNs AS49434 AS60068 AS200325 AS212238 to his CDN whitelisting. One of these domains ip addresses could easily wind up in skynets defaults in the future, or even accidently bleed over from diversion shared list.

 

[Skillz]

If you run into problems later it is likely the server has switched to an IP in one of the other ASN in the list above. I only showed the ipv6 to show that it even uses those ASN to get an ipv6 address. And it can use a different ASN for each address at any given point in time. Just make sure you allow list the appropriate ASN's you should see less issues.

I already did. I'll keep adding as they come. (in this case it was AS60068)