Turn off remote access after time passes

Hello everyone,

I use genie to enable/disable access to our routers, but we have to enable before and disable afterwards, which can cause problems if tech’s can forget to disable. So I would like to know how I would go about doing so, I tried changing the inform script to do so with the following two commands:

declare(“InternetGatewayDevice.X_TRUE-COM_Security.ACLService.2.HTTP”, {value: daily}, {value: false});
declare(“Device.ManagementServer.X_TRUE-COM_Security.ACLService.2.HTTP”, {value: daily}, {value: false});

But it seemed that everytime I would commit the true signal to the router the acs would immediately update it to false, which seems to be the inform script doing so.

Any help is appreciated, thanks.

The best solution would be an external script, which disables it automatically. The script also should enable it, so it can keep track of the devices.

An other approach would be to use Tags to enable the Access. And then something like a cronjob that disables the Access on special times. E.g. at 18:00 or 12:00. This would be possible completely within genieacs.

My solution for that problem is, that every device has a random password per Default and our service technician must add a second user for remote access with an secure and unique password. Then it doesn’t matter if the access is open for a day or two.

Edit: adding IP whitelists to the devices would also decrease risks.

1 Like

Ok so is it possible for me to have a tag on every device, say “Closed”, and as soon as I clear that tag, a new tag is set “Open” along with enabling the HTTP Remote Access? And then every hour say all devices will get automatically “Closed”.

I’ve been looking around and came across Example of a Provisioning Flow · genieacs/genieacs Wiki · GitHub which shows the external script interacting with a provision script. How often do the provision scripts run and is it controllable? I’m I on the right path here with this provisioning flow script with external? I’m hoping I can edit that enough to create/delete the tags based on time of day.

I would create a Tag something like HTTPS_open. Then create a provision that has as conditions this tag, that opens the Port an adds a second Tag e.G. HTTPS_open_provisioned.

Then add a provision that only runs at out of office hours that is triggered by the HTTPS_open and HTTPS_open_provision which removes the open Port and also removes the Tags. It will take at least one inform interval to remove the open Port. This will only work, if these devices have a inform interval that is less then the out of office hours.

Or create a script that search for this tags that remove them and the open Port.

I have a similar setup. But I do not have a periodic inform enabled anymore, what we do is to retrieve the specific ConnectionRequestURL for a particular CPE from ACS and use it on a bash script to force the connection request on the CPE using curl or wget.

So I ended following what Jonas said for the most part. I have an Open and Closed tag, and when you delete open or closed, and then summon the router it will open or close the port treating the open and closed tag like a button. Depending on what you do it will also set an Open_Provisioned or Closed_Provisioned to show the current state.

Does the remote access on your CPE support ACLs? We use ACLs with our CPEs and leave the remote access always enabled.

Here is my ACLs provision script which handles SmartRG, Comtrend, Zyxel device model v2 and generic Broadcom based CPEs.

log('ACLs');
const now = Date.now();

let model = declare('VirtualParameters.Model', {value: 1}).value[0];

log('ACLs - Model', {model: model});

createAcls();
declare('Tags.HasACLs', null, {value: true});

return;

function createAcls() {
  /*
   * Clear all existing ACL rules. Because everything is done in one transaction,
   * if there are no actual changes, then nothing will actually be removed by GenieACS
   */

  declare('InternetGatewayDevice.X_SMARTRG_COM_MgmtAcl.*', {value: now, path: now});
  declare('InternetGatewayDevice.X_COMTREND_COM_AccessibleIPAddress.*', {value: now, path: now});

  declare('InternetGatewayDevice.X_SMARTRG_COM_MgmtAcl.[]', null, {path: 0});
  declare('InternetGatewayDevice.X_COMTREND_COM_AccessibleIPAddress.IPAddressEntry.[]', null, {path: 0});

  declare('InternetGatewayDevice.X_BROADCOM_COM_IPAddrAccCtrl.X_BROADCOM_COM_IPAddrAccCtrlListCfg.[]', null, {path: 0});
  declare('Device.X_ZYXEL_RemoteManagement.TrustDomain.[]', null, {path: 0});

  // Your IP addresses here...
  [
      {ip: '192.168.1.0', maskBits: 24, interface: 'lan', notes: 'Local LAN'},
      {ip: '172.128.0.0', maskBits: 12, interface: 'wan', notes: 'Management network'},
      {ip: '1.2.3.4',     maskBits: 32, interface: 'wan', notes: 'Support Office'},
      {ip: '4.3.2.1',     maskBits: 28, interface: 'wan', notes: 'Some Servers'},
  ].forEach((acl) => {
      log('ACLs - Adding mgmt acl', acl);

      declare('InternetGatewayDevice.X_SMARTRG_COM_MgmtAcl.[SrcAddress:' + acl.ip + '/' + acl.maskBits + ']', {path: 1}, {path: 1});

      //Comtrend
      declare('InternetGatewayDevice.X_COMTREND_COM_AccessibleIPAddress.IPAddressEntry.[ipaddr:' + acl.ip +
          ',Subnet:' + createNetmaskAddr(acl.maskBits) + ',Interface:' + acl.interface + ']', {path: 1}, {path: 1});

      //SR555
      declare('InternetGatewayDevice.X_BROADCOM_COM_IPAddrAccCtrl.X_BROADCOM_COM_IPAddrAccCtrlListCfg.[SourceIPAddress:' +
          acl.ip + ',SourceNetMask:' + createNetmaskAddr(acl.maskBits) + ']', {path: 1}, {path: 1});

      declare('Device.X_ZYXEL_RemoteManagement.TrustDomain.[IPAddress:' + acl.ip + ',SubnetMask:' + acl.maskBits + ',Enable:true]', {path: 1}, {path: 1});
  });


  //Enable the ACLs for the SR555ac and the Comtrend
  declare('InternetGatewayDevice.X_BROADCOM_COM_IPAddrAccCtrl.Enable', {path: 1}, {value: true});
  declare('InternetGatewayDevice.X_COMTREND_COM_AccessibleIPAddress.Enable', {path: 1}, {value: true});
}

function createNetmaskAddr(bitCount) {
    let mask = [];
    for (let i = 0; i < 4; ++i) {
        let n = Math.min(bitCount, 8);
        mask.push(256 - Math.pow(2, 8 - n));
        bitCount -= n;
    }

    return mask.join('.');
}
1 Like

Unfortunately they do not have an ACL available, so that’s why I was taking the approach with the enable/disable of the remote access altogether.

in Huawei case, it is not specifically mentioned as ACL but as “Device Access Control” (just pasted from a
router config page).
To verify this: download a copy of a router config as XML, open it with a text editor and search for an ACL entry.

edit: in our case, we use ACL to limit access to the config page to an specific VLAN used by our ACS, which mostly solve the problem of having the router web config page exposed to the internet.