The Vera Community forums have moved!

Advanced => Security => Topic started by: futzle on November 12, 2010, 10:57:50 pm

Title: HOWTO: Disable remote access on UI4
Post by: futzle on November 12, 2010, 10:57:50 pm
I didn't know how else to do this on UI4/cp.mios.com.  Back on UI2/findvera.com there was an option in the user interface to disable remote access entirely.

1. On your LAN, ssh into your Vera as root.
2. Edit the file /etc/cmh-ra/cmh-ra.conf.
3. Change the 0 in this line to 1:
Code: [Select]
RA_DISABLED=04. Kill the ssh process that looks like this (99999 will be different on your Vera):
Code: [Select]
ssh -p 232 -T -y -i /etc/cmh-ra/keys/cmh-ra-key.priv -R 99999:127.0.0.1:80 cmh-ra@fwd1.mios.comOr else just reboot Vera.
5. Verify that the remote access tunnel is turned off by running ps and noting the absence of ssh processes, or by seeing this message in the output of logread:
Code: [Select]
MiOS Remote Control Service is disabled. We won't start RC tunnels.
I'd recommend doing this only if you suffer from severe paranoia about secure tunnels to remote servers that you didn't create, or if you already have a way to securely access your LAN from the Internet.  I have a proper VPN, so I'm happy to connect to my VPN before connecting to Vera.

Needless to say, put this back the way you found it if you expect to get tech support from MCV.
Title: Re: HOWTO: Disable remote access on UI4
Post by: Automated on November 22, 2010, 10:13:32 pm
You will need to edit more than that if you also want to stop the username and password sync with mios.com.
Title: Re: HOWTO: Disable remote access on UI4
Post by: hankjones on November 29, 2010, 10:16:25 am
Did anyone get an answer to this?  I suffer from severe paranoia since everyday companies get hacked and thousands of credit cards get stolen.  Makes me thing a MiCasaVerde server may get hacked also.  I would like to disable remote access since I have a VPN to my home, but also make iVera work without having to connect to a MiCasaVerde server first when using this over VPN.  Has anyone noticed that a Vera2 box connects to the following servers (this is not a complete list), what are all these connections for?


66.36.230.215     80/tcp     micasaverde.com
66.36.231.78     232/tcp     fwd1.mios.com
66.36.231.70     unknown     from hopone.net
66.148.72.49     80/tcp     logs.micasaverde.com
67.195.160.76     ir1.fp.vip.ac4.yahoo.com from telia.net
69.147.125.65     ir1.fp.vip.re1.yahoo.com from yahoo.com
71.252.193.25     stan.greyware.com time service
72.14.204.99     iad04s01-in-f99.1e100.net
72.14.204.104     iad04s01-in-f104.1e100.net
72.30.2.43          ir1.fp.vip.sk1.yahoo.com
72.14.204.104     80/tcp     iad04s01-in-f104.1e100.net
74.125.127.93     80/tcp     pz-in-f93.1e100.net
98.137.149.56     80/tcp     ir1.fp.vip.sp2.yahoo.com
128.2.1.20          AC-NTP0.NET.CMU.EDU
192.53.103.104     ptbtime2.ptb.de
192.53.103.108     ptbtime1.ptb.de
132.236.56.252     cudns.cit.cornell.edu
209.160.40.134     sta2.mios.com
209.160.40.136     unknown
209.160.29.55     unknown
209.160.40.215     232/tcp     fwd2.mios.com
Title: Re: HOWTO: Disable remote access on UI4
Post by: atlantis94fr on November 29, 2010, 10:22:26 am
Very affraied by all of that... Once again when will we have a HTTPS portal on VERA in order to have full control of our security !!! Easy to say and easy to do !!! why  is it not obvious for a VERA !!!
Title: Re: HOWTO: Disable remote access on UI4
Post by: mhn on November 29, 2010, 01:18:47 pm
We made a little "hack" on UI2. It might work on UI4 too.

http://zwaves.dk/forum/viewtopic.php?f=22&t=242 (In Danish. Google translate.)

Regards
Morten
Title: Re: HOWTO: Disable remote access on UI4
Post by: allensawyer23 on December 03, 2010, 02:23:59 am
i wish you could provide a demo for beginners :(
Title: Re: HOWTO: Disable remote access on UI4
Post by: BrianAz on January 07, 2011, 05:58:44 pm
I did this, but then it seemed that my iVera app wasn't able to connect to my Vera 2 after I connected my iPhone to the VPN. I read somewhere about iPhone's not being able to map names to addresses when you're connecting to vpn. Not sure how this'll work yet. Probably need to ask iVera author some questions.
Title: Re: HOWTO: Disable remote access on UI4
Post by: mhn on January 07, 2011, 06:41:03 pm
I don't know Iphones.

But i might be a certificate thing. The certificate is self-signed, some devices don't like that.

Did your phone accept the certificate?
Title: Re: HOWTO: Disable remote access on UI4
Post by: BrianAz on January 07, 2011, 09:01:31 pm
I don't know Iphones.

But i might be a certificate thing. The certificate is self-signed, some devices don't like that.

Did your phone accept the certificate?

Sorry - meant that I tried the OP's instructions.
Title: Re: HOWTO: Disable remote access on UI4
Post by: futzle on January 08, 2011, 05:38:01 am
after I connected my iPhone to the VPN. I read somewhere about iPhone's not being able to map names to addresses when you're connecting to vpn.

It depends on your VPN technology.  If it's an iPhone then you are probably using IPsec/L2TP.  It's common that server implementations of IPsec/L2TP don't route multicast packets from the LAN to the VPN, so your iPhone can't auto-detect the Vera over Zeroconf/Bonjour.  I've got a similar issue with VPNing home and not being able to see my EyeTV instance automatically.

If your Vera is at a fixed IP address on your home network then you might be able to convince iVera to talk straight to the IP address.  (I don't use iVera, but I know SQ Remote has this option.)

I'm guessing that disabling the Vera HTTP tunnel makes findvera or whatever it's called now not able to determine the LAN address of Vera, so iVera can't learn the address that it starts sending UPnP requests to in order to speak to Vera.  Or something like that.
Title: Re: HOWTO: Disable remote access on UI4
Post by: BrianAz on January 21, 2011, 08:01:39 pm
I'm using DD-WRT w/ PPTP for VPN. The iVera author said that it goes direct to the Vera's IP if it's known... but it seems that he may also be making a call out to a website which is not resolving and hanging up the connection to the Vera. I owe him some testing when I get the time. He gave me a url to test on my iPhone while my VPN is connected and then while it's not.
Title: [How To] Disable remote access on UI4
Post by: Henk on June 13, 2011, 01:07:59 pm
I didn't know how else to do this on UI4/cp.mios.com.  Back on UI2/findvera.com there was an option in the user interface to disable remote access entirely.

1. On your LAN, ssh into your Vera as root.
2. Edit the file /etc/cmh-ra/cmh-ra.conf.
3. Change the 0 in this line to 1:
Code: [Select]
RA_DISABLED=04. Kill the ssh process that looks like this (99999 will be different on your Vera):
Code: [Select]
ssh -p 232 -T -y -i /etc/cmh-ra/keys/cmh-ra-key.priv -R 99999:127.0.0.1:80 cmh-ra@fwd1.mios.comOr else just reboot Vera.
5. Verify that the remote access tunnel is turned off by running ps and noting the absence of ssh processes, or by seeing this message in the output of logread:
Code: [Select]
MiOS Remote Control Service is disabled. We won't start RC tunnels.
I'd recommend doing this only if you suffer from severe paranoia about secure tunnels to remote servers that you didn't create, or if you already have a way to securely access your LAN from the Internet.  I have a proper VPN, so I'm happy to connect to my VPN before connecting to Vera.

Needless to say, put this back the way you found it if you expect to get tech support from MCV.


This will go on my to do list for How To's
Maybe i can elaborate on it using the standard cp.mios.com functions a little bit.
Title: Re: [How To] Disable remote access on UI4
Post by: hightop32 on June 22, 2011, 11:42:26 am
Maybe i can elaborate on it using the standard cp.mios.com functions a little bit.

maybe we can see this as a feature in the UI.   ::)
Title: Re: [How To] Disable remote access on UI4
Post by: Henk on June 22, 2011, 12:22:36 pm
Maybe i can elaborate on it using the standard cp.mios.com functions a little bit.

maybe we can see this as a feature in the UI.   ::)

Rumour has it that in the next UI the layout for local and remote (cp.mios.com) will be the same...
Title: Re: HOWTO: Disable remote access on UI4
Post by: futzle on June 26, 2011, 03:12:22 am
A warning... my disabled tunnel spontaneously decided to re-enable itself some time in the last few months.  I am going to have to put in a periodic check to prevent remote access re-enabling itself.  Nice.
Title: Re: HOWTO: Disable remote access on UI4
Post by: Henk on June 26, 2011, 03:36:55 am
@futzle,

As a reference, i saw @cj making this comment here:
http://forum.micasaverde.com/index.php?topic=6894.msg43923#msg43923
3.The UI2 users concept was confusing for some users: you had a findvera.com account, you had local users and you had notifications users, in UI4 we tried to merge all of those together, and in order to synchronize the changes made on the server on the unit we need to have this tunnel opened.
You can easily disable the tunnel (http://LOCAL_VERA_IP/cgi-bin/cmh/remove_ra.sh), but all the changes made on the server will be synchronized once at 24 hours only to your unit.


A warning... my disabled tunnel spontaneously decided to re-enable itself some time in the last few months.  I am going to have to put in a periodic check to prevent remote access re-enabling itself.  Nice.
Title: Re: HOWTO: Disable remote access on UI4
Post by: lolodomo on August 01, 2013, 09:37:48 am
In UI5 v1.5.622, there is a bug in the script "remove_ra.sh". The ssh process is not killed and that's the reason why the tunnel is not immediately closed. At the end of this script, this command "/etc/init.d/cmh-ra stop" should be called. It kills the ssh process + another process called "cmh-ra-daemon.sh".
After that, it seems that the tunnel is really closed without requiring a reboot of the Vera.


In the same directoyry, there is another file named "cmh_ra.sh". This one allows to enable the tunnel but environment variables FORM_user and FORM_pass have to be defined first.
Title: Re: HOWTO: Disable remote access on UI4
Post by: lolodomo on August 01, 2013, 10:19:13 am
A warning... my disabled tunnel spontaneously decided to re-enable itself some time in the last few months.  I am going to have to put in a periodic check to prevent remote access re-enabling itself.  Nice.

Tha(s because with your method you are not detaching your Vera from your MiOS account. As you can see in the scripts cmh_ra.sh and remove_ra.sh, there is a specifc call done to the Micasaverde servers to add or remove an access point (your Vera).
Title: Re: HOWTO: Disable remote access on UI4
Post by: lolodomo on August 01, 2013, 10:27:19 am
In the same directoyry, there is another file named "cmh_ra.sh". This one allows to enable the tunnel but environment variables FORM_user and FORM_pass have to be defined first.

An easy way to re-enable the tunnel is to connect from your local network to cp.mios.com with your account and that add again your Vera to your account. The tunnel is immediately re-opened. But this method requires a human action.
Title: Re: HOWTO: Disable remote access on UI4
Post by: lolodomo on August 04, 2013, 02:43:49 pm
http://wiki.micasaverde.com/index.php/UI_Notes

Quote
Each Vera, when it boots up, reports its internal IP address to the central mios.com server, which tracks this along with the external IP address. locator.php shows all serial numbers and internal network IP addresses on the same external IP.

So even with the SSH tunnel broken with the MCV servers, these information are sent to the MCV servers and I don't know if this is done with a kind of security or not.
For users searching a real break with MCV servers, any idea how to stop that ?
Title: Re: HOWTO: Disable remote access on UI4
Post by: guessed on August 04, 2013, 10:41:12 pm
Also, if you happen to have a support tunnel open, you'll need to disable that also.

If the following file exists:
    /etc/cmh/ra_password

change it to another name like:
    /etc/cmh/ra_password.orig

and then kill off the "other" ssh Tunnel that would look like:
Code: [Select]
     ssh -y -T -p 232 -i /etc/cmh/ra_key -R xxxxx:127.0.0.1:80 -R yyyyy:127.0.0.1:23 -R zzzzz:127.0.0.1:22 remoteassistance@ts2.
Removing the /etc/cmh/ra_password file ensures that /usr/bin/SetupRemoteAccess.sh won't run, since it will startup independently of the other RA Enablement settings.
Title: Re: HOWTO: Disable remote access on UI4
Post by: lolodomo on August 05, 2013, 03:23:25 am
Also, if you happen to have a support tunnel open, you'll need to disable that also.

If the following file exists:
    /etc/cmh/ra_password

change it to another name like:
    /etc/cmh/ra_password.orig

and then kill off the "other" ssh Tunnel that would look like:
Code: [Select]
     ssh -y -T -p 232 -i /etc/cmh/ra_key -R xxxxx:127.0.0.1:80 -R yyyyy:127.0.0.1:23 -R zzzzz:127.0.0.1:22 remoteassistance@ts2.
Removing the /etc/cmh/ra_password file ensures that /usr/bin/SetupRemoteAccess.sh won't run, since it will startup independently of the other RA Enablement settings.

This is probably only if you have enabled the remote assistance. I don't have the ra_password file on my system.
Title: Re: HOWTO: Disable remote access on UI4
Post by: lolodomo on August 05, 2013, 03:26:41 am
http://wiki.micasaverde.com/index.php/UI_Notes

Quote
Each Vera, when it boots up, reports its internal IP address to the central mios.com server, which tracks this along with the external IP address. locator.php shows all serial numbers and internal network IP addresses on the same external IP.

So even with the SSH tunnel broken with the MCV servers, these information are sent to the MCV servers and I don't know if this is done with a kind of security or not.
For users searching a real break with MCV servers, any idea how to stop that ?

My feeling is that all this stuff is done by the file /etc/init.d/provision_vera.sh.
But I am not sure because I don't find the log file that should have been created if the file has been run...

By the way, I understand that these information can be retrieved only if you are already in your local network. And are they really critical ?
Title: Re: HOWTO: Disable remote access on UI4
Post by: lolodomo on August 05, 2013, 05:51:17 am
By the way, I understand that these information can be retrieved only if you are already in your local network. And are they really critical ?

These datas are now stored on the MCV servers and we could just disable a refresh. I am not sure if there is a way to suppress them from the MCV servers.

One of the advantage of these data stored on MCV servers is that it allows us an easy way to re-enable the connection to the MCV servers (the tunnel) and an easy way for third-party applications to find the local IP of the Vera.
It would be just interesting to know what data are exactly stored but there could be nothing really critical (your public IP, the local IP of the Vera, Vera serial number, ...)
Title: Re: HOWTO: Disable remote access on UI4
Post by: randomname on January 02, 2014, 08:20:37 am
A warning... my disabled tunnel spontaneously decided to re-enable itself some time in the last few months.  I am going to have to put in a periodic check to prevent remote access re-enabling itself.  Nice.

I see the same happening after each reboot. Damn tunnels keeps opening.

Does anybody have a fix for this?
Title: Re: HOWTO: Disable remote access on UI4
Post by: guessed on February 21, 2014, 07:30:15 pm
So I've had remote access disabled for 1/2 yr now.  I recently started collecting stats using SysMon, and even more recently put them into graphs to work out some inconsistent execution stuff going on.

Note the odd pattern, and in a wider graph, it's very consistently occurring at the same time(s)

After a bit of poking, it seems that Vera's internal maintenance scripts will kick in every 60 minutes and perform a force-reload.  This appears to only occur when you have remote-access disabled (lovely), and appears to be due to lines in:

Code: [Select]
/usr/bin/mios-services.sh
specifically, line 143-150 (1.5.622), where it's checking the contents of the local user's file:
Code: [Select]
/etc/cmh/users.conf
and, if it's empty (which it will be on a decoupled system), it attempts to load it from the servers.

The other clue that this is going on is the following lines in the logread output:
Code: [Select]
Feb 21 13:23:49 MiOS_300xxxxx user.notice mios_services[407]: Sync MiOS Users required
Feb 21 13:23:49 MiOS_300xxxxx user.notice mios-sync_users[438]: BEGIN
Feb 21 13:23:49 MiOS_300xxxxx user.notice mios-sync_users[438]: Returning working server for MAIN=sta2.mios.com BCK=sta1.mios.com LAST=sta2.mios.com UseBCK(USE_ST_SRV_BCK=0) with do_report=0
Feb 21 13:23:49 MiOS_300xxxxx user.notice mios-sync_users[438]: Testing connection to: sta2.mios.com on Port: 443
Feb 21 13:23:49 MiOS_300xxxxx user.notice mios-sync_users[438]: 1 got response from sta2.mios.com
Feb 21 13:23:49 MiOS_300xxxxx user.notice mios-sync_users[438]: TestSeq=1 - Connection to: sta2.mios.com is 1
Feb 21 13:23:50 MiOS_300xxxxx user.notice mios-sync_users[438]: sta2.mios.com Reached. Proceeding...
Feb 21 13:23:50 MiOS_300xxxxx user.notice mios-sync_users[438]: MAIN Working
Feb 21 13:23:50 MiOS_300xxxxx user.notice mios-sync_users[438]: Clearing all MiOS users
Feb 21 13:23:50 MiOS_300xxxxx user.notice mios-sync_users[438]: ===AddMiosUsers: ===
Feb 21 13:23:50 MiOS_300xxxxx user.notice mios-sync_users[438]: === Request LuaUPnP Reload ===
Feb 21 13:23:51 MiOS_300xxxxx user.notice mios-sync_users[438]: END

They'll occur every 60 minutes after the last restart of the LuaUPnP process...  along with a corresponding set of LuaUPnP log lines for a "url-requested" Reload operation:
Code: [Select]
12 02/21/14 11:23:44.235 luvd_get_info_data_request starting /data_request?id=lu_reload pMem 0x1c18000/29458432 diff: 17477632 <0x2f7fe680>
10 02/21/14 11:23:44.235 JobHandler_LuaUPnP::HandleRequest id lu_reload request pMem 0x1c18000/29458432 diff: 17477632 <0x2f7fe680>
03 02/21/14 11:23:44.236 JobHandler_LuaUPnP::Reload: reload Critical 1 m_bCriticalOnly 0 dirty data 1 <0x2f7fe680>
10 02/21/14 11:23:44.475 JobHandler_LuaUPnP::Reload started watchdog thread <0x2f7fe680>
10 02/21/14 11:23:44.475 JobHandler_LuaUPnP::m_bQuit_set now 1 for 0xb6bc90 JobHandler_LuaUPnP::Reload <0x2f7fe680>
10 02/21/14 11:23:44.476 ThreadedClass::m_bQuit_set now 1 for 0xb6bc90 JobHandler_LuaUPnP::Reload <0x2f7fe680>

of course, those show up in a lot places.  Bug report 3952 (http://bugs.micasaverde.com/view.php?id=3952) filed for the issue.

I will post the work-around once I've worked out a reasonable hack to avoid this problem.

@futzle: I posted here so we can keep all the information about "separating" Vera from the hosted service together.   Let me know if you'd prefer that I separate this post out.
Title: Re: HOWTO: Disable remote access on UI4
Post by: Video321 on March 18, 2014, 08:25:27 am
Is there any update to this?

I have the same exact output in my logread with remote access disabled.

I've been dealing with once/hour reboots for a VERY long time - too many other things in life were getting priority over this!
I would crash with LuaUPNP exit code 245 - which was not bringing any up anything pertaining to me during forum searches at the time that I noticed the error.

I really don't want remote access, but if I must enable it I'll have to isolate Vera in a secured VLAN.

Thanks for your support with this!
Title: Re: HOWTO: Disable remote access on UI4
Post by: guessed on March 18, 2014, 11:21:54 am
Is there any update to this?
The file just needs to be non-zero in length, and it'll stop.  I put a single "#" character into my /etc/cmh/users.conf file and the reloads stopped.
Title: Re: HOWTO: Disable remote access on UI4
Post by: Video321 on March 18, 2014, 04:54:11 pm
Thanks... I applied that fix!

Don't mean to clutter up this thread, but when I issue the "logread" command, what is the name and location of the file it pulls from?
Title: Re: HOWTO: Disable remote access on UI4
Post by: futzle on March 18, 2014, 04:58:13 pm
when I issue the "logread" command, what is the name and location of the file it pulls from?

On OpenWrt the log isn't in a file.  It's a memory buffer that the syslog facility has write access to.  Here's the OpenWrt Wiki page (http://wiki.openwrt.org/doc/howto/log.essentials).
Title: Re: HOWTO: Disable remote access on UI4
Post by: johnes on October 07, 2014, 02:48:56 pm
So if you disable access to your local vera unit to MCV servers, does that mean that you can't use the Android app then to connect, even if you know your public IP address?
Title: Re: HOWTO: Disable remote access on UI4
Post by: futzle on October 07, 2014, 06:46:20 pm

So if you disable access to your local vera unit to MCV servers, does that mean that you can't use the Android app then to connect, even if you know your public IP address?

That's right. Not that remote access apps could usefully use the knowledge of your public IP address anyway.

(In case you were thinking it: do NOT forward ports at your router to expose Vera at your public IP address. Vera has no authentication so you would be allowing anyone in the world to control your Vera.)
Title: Re: HOWTO: Disable remote access on UI4
Post by: johnes on October 07, 2014, 11:19:45 pm
I'd love to know how the information gets transmitted back and forth between the local vera, MCV, and the phone. 

Thanks for that tip, by the way... but my home IP requires a username/password... are you suggesting that that's not enough (honest question)

But If I had a VPN connection to my home, I would be able to use that local IP address.  Would AutHomationHD support that scenario?
Title: Re: HOWTO: Disable remote access on UI4
Post by: futzle on October 08, 2014, 12:35:57 am
In short, both your Vera and your phone make outgoing connections to Micasaverde's remote access server. The Vera does it through an SSH tunnel, which you can see if you log into your Vera's command line and run the ps command. Your phone makes an HTTPS connection to the same server, supplying a username and password. The remote access server authenticates the phone and connects it to the Vera SSH tunnel. This is similar in principle to a lot of other remote access products that companies sell for you to, say, view your computer's desktop on your phone.

The VPN approach is great. I've used it with HomeWave. I bet there's a way to make it work with AutHomation too.

Unless you've specifically added username+password authentication to incoming connections at your router, port forwarding will just let anything through. In practice, authentication wrapped around port forwarding is rare because it usually interferes with the underlying protocol (HTTP in this case) and renders it inoperative. You might be able to salvage a bit of security by using IP filtering rules or port knocking, but if you are going to go to that effort then you may as well just set up a VPN.

Other topics in this same subforum go into this stuff at length, so if you want more detail have a poke around and read what's already been said. Anything 3 years old or newer is still relevant.
Title: Re: HOWTO: Disable remote access on UI4
Post by: crackers8199 on October 13, 2014, 08:06:26 pm
authomation works over vpn, i just set it up that way.  configure authomation to only use local access, turn off auto-switching, and make sure you're connected to the vpn before opening the app...works just fine.

just so i make sure after reading this that i've disabled remote access correctly...i went through the following steps:

- ssh into veralite as root
- change RA_DISABLED to 1 in /etc/cmh-ra/cmh-ra.conf
- killed the SSH process
- edit /etc/cmh/users.conf to be a single # character

that should be all i need to do, right?
Title: Re: HOWTO: Disable remote access on UI4
Post by: futzle on May 27, 2015, 07:50:14 am
Thanks to algetnkjba for updating the steps needed to disable the remote tunnel in UI7.  See this topic (http://forum.micasaverde.com/index.php/topic,32319.msg235232.html#msg235232) for the details.