We have moved at community.getvera.com

Author Topic: HOWTO: Disable remote access on UI4  (Read 23522 times)

Offline Henk

  • Hero Member
  • *****
  • Posts: 820
  • Karma: +3/-0
Re: HOWTO: Disable remote access on UI4
« Reply #15 on: June 26, 2011, 03:36:55 am »
@futzle,

As a reference, i saw @cj making this comment here:
http://forum.micasaverde.com/index.php?topic=6894.msg43923#msg43923
3.The UI2 users concept was confusing for some users: you had a findvera.com account, you had local users and you had notifications users, in UI4 we tried to merge all of those together, and in order to synchronize the changes made on the server on the unit we need to have this tunnel opened.
You can easily disable the tunnel (http://LOCAL_VERA_IP/cgi-bin/cmh/remove_ra.sh), but all the changes made on the server will be synchronized once at 24 hours only to your unit.


A warning... my disabled tunnel spontaneously decided to re-enable itself some time in the last few months.  I am going to have to put in a periodic check to prevent remote access re-enabling itself.  Nice.
| Vera2 @ UI4 1.1.1350 / 3.20 | Vera Lite @ UI5 | Vera 3 @ UI5 | 2x Merten  504519 | 1x Duewi  064374 | 1x Everspring SM103 doorbell mod |1 Y-cam IP cam | various LUUP plugins |

Offline lolodomo

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3484
  • Karma: +74/-10
Re: HOWTO: Disable remote access on UI4
« Reply #16 on: August 01, 2013, 09:37:48 am »
In UI5 v1.5.622, there is a bug in the script "remove_ra.sh". The ssh process is not killed and that's the reason why the tunnel is not immediately closed. At the end of this script, this command "/etc/init.d/cmh-ra stop" should be called. It kills the ssh process + another process called "cmh-ra-daemon.sh".
After that, it seems that the tunnel is really closed without requiring a reboot of the Vera.


In the same directoyry, there is another file named "cmh_ra.sh". This one allows to enable the tunnel but environment variables FORM_user and FORM_pass have to be defined first.
« Last Edit: August 01, 2013, 09:49:54 am by lolodomo »

Offline lolodomo

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3484
  • Karma: +74/-10
Re: HOWTO: Disable remote access on UI4
« Reply #17 on: August 01, 2013, 10:19:13 am »
A warning... my disabled tunnel spontaneously decided to re-enable itself some time in the last few months.  I am going to have to put in a periodic check to prevent remote access re-enabling itself.  Nice.

Tha(s because with your method you are not detaching your Vera from your MiOS account. As you can see in the scripts cmh_ra.sh and remove_ra.sh, there is a specifc call done to the Micasaverde servers to add or remove an access point (your Vera).
« Last Edit: August 01, 2013, 10:28:04 am by lolodomo »

Offline lolodomo

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3484
  • Karma: +74/-10
Re: HOWTO: Disable remote access on UI4
« Reply #18 on: August 01, 2013, 10:27:19 am »
In the same directoyry, there is another file named "cmh_ra.sh". This one allows to enable the tunnel but environment variables FORM_user and FORM_pass have to be defined first.

An easy way to re-enable the tunnel is to connect from your local network to cp.mios.com with your account and that add again your Vera to your account. The tunnel is immediately re-opened. But this method requires a human action.

Offline lolodomo

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3484
  • Karma: +74/-10
Re: HOWTO: Disable remote access on UI4
« Reply #19 on: August 04, 2013, 02:43:49 pm »
http://wiki.micasaverde.com/index.php/UI_Notes

Quote
Each Vera, when it boots up, reports its internal IP address to the central mios.com server, which tracks this along with the external IP address. locator.php shows all serial numbers and internal network IP addresses on the same external IP.

So even with the SSH tunnel broken with the MCV servers, these information are sent to the MCV servers and I don't know if this is done with a kind of security or not.
For users searching a real break with MCV servers, any idea how to stop that ?

Offline guessed

  • Community Beta
  • Master Member
  • ******
  • Posts: 5301
  • Karma: +92/-22
  • Release compat is not a bolted-on afterthought
Re: HOWTO: Disable remote access on UI4
« Reply #20 on: August 04, 2013, 10:41:12 pm »
Also, if you happen to have a support tunnel open, you'll need to disable that also.

If the following file exists:
    /etc/cmh/ra_password

change it to another name like:
    /etc/cmh/ra_password.orig

and then kill off the "other" ssh Tunnel that would look like:
Code: [Select]
     ssh -y -T -p 232 -i /etc/cmh/ra_key -R xxxxx:127.0.0.1:80 -R yyyyy:127.0.0.1:23 -R zzzzz:127.0.0.1:22 remoteassistance@ts2.
Removing the /etc/cmh/ra_password file ensures that /usr/bin/SetupRemoteAccess.sh won't run, since it will startup independently of the other RA Enablement settings.

Offline lolodomo

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3484
  • Karma: +74/-10
Re: HOWTO: Disable remote access on UI4
« Reply #21 on: August 05, 2013, 03:23:25 am »
Also, if you happen to have a support tunnel open, you'll need to disable that also.

If the following file exists:
    /etc/cmh/ra_password

change it to another name like:
    /etc/cmh/ra_password.orig

and then kill off the "other" ssh Tunnel that would look like:
Code: [Select]
     ssh -y -T -p 232 -i /etc/cmh/ra_key -R xxxxx:127.0.0.1:80 -R yyyyy:127.0.0.1:23 -R zzzzz:127.0.0.1:22 remoteassistance@ts2.
Removing the /etc/cmh/ra_password file ensures that /usr/bin/SetupRemoteAccess.sh won't run, since it will startup independently of the other RA Enablement settings.

This is probably only if you have enabled the remote assistance. I don't have the ra_password file on my system.
« Last Edit: August 05, 2013, 03:27:20 am by lolodomo »

Offline lolodomo

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3484
  • Karma: +74/-10
Re: HOWTO: Disable remote access on UI4
« Reply #22 on: August 05, 2013, 03:26:41 am »
http://wiki.micasaverde.com/index.php/UI_Notes

Quote
Each Vera, when it boots up, reports its internal IP address to the central mios.com server, which tracks this along with the external IP address. locator.php shows all serial numbers and internal network IP addresses on the same external IP.

So even with the SSH tunnel broken with the MCV servers, these information are sent to the MCV servers and I don't know if this is done with a kind of security or not.
For users searching a real break with MCV servers, any idea how to stop that ?

My feeling is that all this stuff is done by the file /etc/init.d/provision_vera.sh.
But I am not sure because I don't find the log file that should have been created if the file has been run...

By the way, I understand that these information can be retrieved only if you are already in your local network. And are they really critical ?
« Last Edit: August 05, 2013, 03:32:16 am by lolodomo »

Offline lolodomo

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3484
  • Karma: +74/-10
Re: HOWTO: Disable remote access on UI4
« Reply #23 on: August 05, 2013, 05:51:17 am »
By the way, I understand that these information can be retrieved only if you are already in your local network. And are they really critical ?

These datas are now stored on the MCV servers and we could just disable a refresh. I am not sure if there is a way to suppress them from the MCV servers.

One of the advantage of these data stored on MCV servers is that it allows us an easy way to re-enable the connection to the MCV servers (the tunnel) and an easy way for third-party applications to find the local IP of the Vera.
It would be just interesting to know what data are exactly stored but there could be nothing really critical (your public IP, the local IP of the Vera, Vera serial number, ...)
« Last Edit: August 05, 2013, 05:56:44 am by lolodomo »

Offline randomname

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
Re: HOWTO: Disable remote access on UI4
« Reply #24 on: January 02, 2014, 08:20:37 am »
A warning... my disabled tunnel spontaneously decided to re-enable itself some time in the last few months.  I am going to have to put in a periodic check to prevent remote access re-enabling itself.  Nice.

I see the same happening after each reboot. Damn tunnels keeps opening.

Does anybody have a fix for this?

Offline guessed

  • Community Beta
  • Master Member
  • ******
  • Posts: 5301
  • Karma: +92/-22
  • Release compat is not a bolted-on afterthought
Re: HOWTO: Disable remote access on UI4
« Reply #25 on: February 21, 2014, 07:30:15 pm »
So I've had remote access disabled for 1/2 yr now.  I recently started collecting stats using SysMon, and even more recently put them into graphs to work out some inconsistent execution stuff going on.

Note the odd pattern, and in a wider graph, it's very consistently occurring at the same time(s)

After a bit of poking, it seems that Vera's internal maintenance scripts will kick in every 60 minutes and perform a force-reload.  This appears to only occur when you have remote-access disabled (lovely), and appears to be due to lines in:

Code: [Select]
/usr/bin/mios-services.sh
specifically, line 143-150 (1.5.622), where it's checking the contents of the local user's file:
Code: [Select]
/etc/cmh/users.conf
and, if it's empty (which it will be on a decoupled system), it attempts to load it from the servers.

The other clue that this is going on is the following lines in the logread output:
Code: [Select]
Feb 21 13:23:49 MiOS_300xxxxx user.notice mios_services[407]: Sync MiOS Users required
Feb 21 13:23:49 MiOS_300xxxxx user.notice mios-sync_users[438]: BEGIN
Feb 21 13:23:49 MiOS_300xxxxx user.notice mios-sync_users[438]: Returning working server for MAIN=sta2.mios.com BCK=sta1.mios.com LAST=sta2.mios.com UseBCK(USE_ST_SRV_BCK=0) with do_report=0
Feb 21 13:23:49 MiOS_300xxxxx user.notice mios-sync_users[438]: Testing connection to: sta2.mios.com on Port: 443
Feb 21 13:23:49 MiOS_300xxxxx user.notice mios-sync_users[438]: 1 got response from sta2.mios.com
Feb 21 13:23:49 MiOS_300xxxxx user.notice mios-sync_users[438]: TestSeq=1 - Connection to: sta2.mios.com is 1
Feb 21 13:23:50 MiOS_300xxxxx user.notice mios-sync_users[438]: sta2.mios.com Reached. Proceeding...
Feb 21 13:23:50 MiOS_300xxxxx user.notice mios-sync_users[438]: MAIN Working
Feb 21 13:23:50 MiOS_300xxxxx user.notice mios-sync_users[438]: Clearing all MiOS users
Feb 21 13:23:50 MiOS_300xxxxx user.notice mios-sync_users[438]: ===AddMiosUsers: ===
Feb 21 13:23:50 MiOS_300xxxxx user.notice mios-sync_users[438]: === Request LuaUPnP Reload ===
Feb 21 13:23:51 MiOS_300xxxxx user.notice mios-sync_users[438]: END

They'll occur every 60 minutes after the last restart of the LuaUPnP process...  along with a corresponding set of LuaUPnP log lines for a "url-requested" Reload operation:
Code: [Select]
12 02/21/14 11:23:44.235 luvd_get_info_data_request starting /data_request?id=lu_reload pMem 0x1c18000/29458432 diff: 17477632 <0x2f7fe680>
10 02/21/14 11:23:44.235 JobHandler_LuaUPnP::HandleRequest id lu_reload request pMem 0x1c18000/29458432 diff: 17477632 <0x2f7fe680>
03 02/21/14 11:23:44.236 JobHandler_LuaUPnP::Reload: reload Critical 1 m_bCriticalOnly 0 dirty data 1 <0x2f7fe680>
10 02/21/14 11:23:44.475 JobHandler_LuaUPnP::Reload started watchdog thread <0x2f7fe680>
10 02/21/14 11:23:44.475 JobHandler_LuaUPnP::m_bQuit_set now 1 for 0xb6bc90 JobHandler_LuaUPnP::Reload <0x2f7fe680>
10 02/21/14 11:23:44.476 ThreadedClass::m_bQuit_set now 1 for 0xb6bc90 JobHandler_LuaUPnP::Reload <0x2f7fe680>

of course, those show up in a lot places.  Bug report 3952 filed for the issue.

I will post the work-around once I've worked out a reasonable hack to avoid this problem.

@futzle: I posted here so we can keep all the information about "separating" Vera from the hosted service together.   Let me know if you'd prefer that I separate this post out.
« Last Edit: February 21, 2014, 07:53:25 pm by guessed »

Offline Video321

  • Sr. Newbie
  • *
  • Posts: 33
  • Karma: +0/-0
Re: HOWTO: Disable remote access on UI4
« Reply #26 on: March 18, 2014, 08:25:27 am »
Is there any update to this?

I have the same exact output in my logread with remote access disabled.

I've been dealing with once/hour reboots for a VERY long time - too many other things in life were getting priority over this!
I would crash with LuaUPNP exit code 245 - which was not bringing any up anything pertaining to me during forum searches at the time that I noticed the error.

I really don't want remote access, but if I must enable it I'll have to isolate Vera in a secured VLAN.

Thanks for your support with this!

Offline guessed

  • Community Beta
  • Master Member
  • ******
  • Posts: 5301
  • Karma: +92/-22
  • Release compat is not a bolted-on afterthought
Re: HOWTO: Disable remote access on UI4
« Reply #27 on: March 18, 2014, 11:21:54 am »
Is there any update to this?
The file just needs to be non-zero in length, and it'll stop.  I put a single "#" character into my /etc/cmh/users.conf file and the reloads stopped.

Offline Video321

  • Sr. Newbie
  • *
  • Posts: 33
  • Karma: +0/-0
Re: HOWTO: Disable remote access on UI4
« Reply #28 on: March 18, 2014, 04:54:11 pm »
Thanks... I applied that fix!

Don't mean to clutter up this thread, but when I issue the "logread" command, what is the name and location of the file it pulls from?

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3260
  • Karma: +192/-9
Re: HOWTO: Disable remote access on UI4
« Reply #29 on: March 18, 2014, 04:58:13 pm »
when I issue the "logread" command, what is the name and location of the file it pulls from?

On OpenWrt the log isn't in a file.  It's a memory buffer that the syslog facility has write access to.  Here's the OpenWrt Wiki page.