Menu
What's new
By:
Filters Better Search

[Script] Add a warning in WebUI when Remote Access is enabled

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Dabombber

Dabombber

Senior Member
Most people are probably like me where they don't check random settings like Remote WebUI Access ever again once they've disabled it. And given that it's possibly been enabled without them knowing (like me >.<), I figured it'd be useful to show a warning for it.

Code: 
#!/bin/sh

NOTIFILE="/jffs/www/notification.js"
MAGICNUMBER=20

_quote() {
   printf "%s\n" "$1" | sed 's/[]\/$*.^&[]/\\&/g'
}

str_append() {
   PATTERN="$(_quote "$1")"
   CONTENT="$(_quote "$2")"
   sed -i "s/$PATTERN/&$CONTENT/" "$3"
}

line_append() {
   PATTERN="$(_quote "$1")"
   CONTENT="$(_quote "$2")"
   sed -i -e "/$PATTERN/a\\" -e "$CONTENT" "$3"
}

line_prepend() {
   PATTERN="$(_quote "$1")"
   CONTENT="$(_quote "$2")"
   sed -i -e "/$PATTERN/i\\" -e "$CONTENT" "$3"
}

file_append() {
   printf "%s\n" "$1" >> "$2"
}

# Remove any stale file
TIMESTAMP="$(date -r "/www/notification.css")"
if [ -e "$NOTIFILE" ]; then
   if ! grep -Fq "$TIMESTAMP" "$NOTIFILE"; then
       mount | grep -Fq "/www/notification.js" && umount "/www/notification.js"
       rm "$NOTIFILE"
   else
       # Up to date, nothing to do here
       unset TIMESTAMP
   fi
fi

# Make new file
if [ -n "$TIMESTAMP" ]; then
   mkdir -p "$(dirname "$NOTIFILE")"
   cp "/www/notification.js" "$NOTIFILE"

   # Add WebUI stuff where samba stuff is
   line_append "var enable_samba" "var misc_http_x = '<% nvram_get(\"misc_http_x\"); %>';" "$NOTIFILE"
   line_append "samba: 0," "webuiwan: 0," "$NOTIFILE"
   str_append "notification.ftp ,notification.samba" " ,notification.webuiwan" "$NOTIFILE"
   str_append "&& !notification.samba" " && !notification.webuiwan" "$NOTIFILE"
   line_prepend "st_samba_force_mode == ''" "if(misc_http_x != 0){notification.array[${MAGICNUMBER}] = 'noti_webuiwan'; notification.webuiwan = 1; notification.desc[${MAGICNUMBER}] = 'Your WebUI is currently accessable from the internet. We strongly recommend that you disable [ Enable Web Access from WAN ] to avoid security risk.'; notification.action_desc[${MAGICNUMBER}] = 'Change now'; notification.clickCallBack[${MAGICNUMBER}] = \"location.href = 'Advanced_System_Content.asp';\";}else{notification.webuiwan = 0;}" "$NOTIFILE"
   str_append "|| notification.samba" " || notification.webuiwan" "$NOTIFILE"
   line_append "this.samba = 0;" "this.webuiwan = 0;" "$NOTIFILE"
   file_append "// Source timestamp: $TIMESTAMP" "$NOTIFILE"
fi

# Mount over stock file
if ! mount | grep -Fq "/www/notification.js"; then
   mount -o bind "$NOTIFILE" "/www/notification.js"
fi

It might be necessary to run 'service restart_httpd' after running the script.
If you leave the created file in the jffs directory it should survive a reboot but the bind won't, so you can either link to, or just put the whole thing in jffs/scripts/init-start.
To undo the changes it makes, you can run the command 'umount /www/notification.js', and delete the file/directories it made (/jffs/www/notification.js).
 

Attachments

  • Untitled.png
    Untitled.png
    36 KB · Views: 457
Last edited:
Dabombber said:
Most people are probably like me where they don't check random settings like Remote WebUI Access ever again once they've disabled it. And given that it's possibly been enabled without them knowing (like me >.<), I figured it'd be useful to show a warning for it.

Code: 
#!/bin/sh

NOTIFILE="/jffs/www/notification.js"
MAGICNUMBER=20

_quote() {
    printf "%s\n" "$1" | sed 's/[]\/$*.^&[]/\\&/g'
}

str_replace() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i "s/$PATTERN/$CONTENT/" "$3"
}

line_prepend() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i "/$PATTERN/i\\\$CONTENT" "$3"
}

line_append() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i "/$PATTERN/a\\\$CONTENT" "$3"
}

if [ ! -e "$NOTIFILE" ]; then
    mkdir -p "$(dirname "$NOTIFILE")"
    cp "/www/notification.js" "$NOTIFILE"

    # Add WebUI stuff where samba stuff is
    line_append "var enable_samba" "var misc_http_x = '<% nvram_get(\"misc_http_x\"); %>';" "$NOTIFILE"
    line_append "samba: 0," "webuiwan: 0," "$NOTIFILE"
    str_replace "notification.ftp ,notification.samba" "notification.ftp ,notification.samba ,notification.webuiwan" "$NOTIFILE"
    str_replace "&& !notification.samba" "&& !notification.samba && !notification.webuiwan" "$NOTIFILE"
    line_prepend "st_samba_force_mode == ''" "if(misc_http_x != 0){notification.array[${MAGICNUMBER}] = 'noti_webuiwan'; notification.webuiwan = 1; notification.desc[${MAGICNUMBER}] = 'Your WebUI is currently accessable from the internet. We strongly recommend that you disable [ Enable Web Access from WAN ] to avoid security risk.'; notification.action_desc[${MAGICNUMBER}] = 'Change now'; notification.clickCallBack[${MAGICNUMBER}] = \"location.href = 'Advanced_System_Content.asp';\";}else{notification.webuiwan = 0;}" "$NOTIFILE"
    str_replace "|| notification.samba" "|| notification.samba || notification.webuiwan" "$NOTIFILE"
    line_append "this.samba = 0;" "this.webuiwan = 0;" "$NOTIFILE"
fi
if [ -z "$(mount | grep /www/notification.js)" ]; then
    mount -o bind "$NOTIFILE" "/www/notification.js"
fi

It might be necessary to run 'service restart_httpd' after running the script.
If you leave the created file in the jffs directory it should survive a reboot but the bind won't, so you can either link to, or just put the whole thing in jffs/scripts/init-start.
To undo the changes it makes, you can run the command 'umount /www/notification.js', and delete the file/directories it made.
Click to expand...


Has this script been fully tested? Can you provide a couple of screenshots for us of what to expect?

This might be a great addition to the amtm script by thelonelycoder? :)
 
There's an attached screenshot showing the warning when access to the WebUI through WAN is enabled (and also that I need to update my firmware). As for testing that's what it's here for ;). I just followed Asus' implementation so it should be fine as long as the magic number isn't being used in some other models, and if so it can just be changed.
 
Dabombber said:
Most people are probably like me where they don't check random settings like Remote WebUI Access ever again once they've disabled it. And given that it's possibly been enabled without them knowing (like me >.<), I figured it'd be useful to show a warning for it.

Code: 
#!/bin/sh

NOTIFILE="/jffs/www/notification.js"
MAGICNUMBER=20

_quote() {
    printf "%s\n" "$1" | sed 's/[]\/$*.^&[]/\\&/g'
}

str_replace() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i "s/$PATTERN/$CONTENT/" "$3"
}

line_prepend() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i "/$PATTERN/i\\\$CONTENT" "$3"
}

line_append() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i "/$PATTERN/a\\\$CONTENT" "$3"
}

if [ ! -e "$NOTIFILE" ]; then
    mkdir -p "$(dirname "$NOTIFILE")"
    cp "/www/notification.js" "$NOTIFILE"

    # Add WebUI stuff where samba stuff is
    line_append "var enable_samba" "var misc_http_x = '<% nvram_get(\"misc_http_x\"); %>';" "$NOTIFILE"
    line_append "samba: 0," "webuiwan: 0," "$NOTIFILE"
    str_replace "notification.ftp ,notification.samba" "notification.ftp ,notification.samba ,notification.webuiwan" "$NOTIFILE"
    str_replace "&& !notification.samba" "&& !notification.samba && !notification.webuiwan" "$NOTIFILE"
    line_prepend "st_samba_force_mode == ''" "if(misc_http_x != 0){notification.array[${MAGICNUMBER}] = 'noti_webuiwan'; notification.webuiwan = 1; notification.desc[${MAGICNUMBER}] = 'Your WebUI is currently accessable from the internet. We strongly recommend that you disable [ Enable Web Access from WAN ] to avoid security risk.'; notification.action_desc[${MAGICNUMBER}] = 'Change now'; notification.clickCallBack[${MAGICNUMBER}] = \"location.href = 'Advanced_System_Content.asp';\";}else{notification.webuiwan = 0;}" "$NOTIFILE"
    str_replace "|| notification.samba" "|| notification.samba || notification.webuiwan" "$NOTIFILE"
    line_append "this.samba = 0;" "this.webuiwan = 0;" "$NOTIFILE"
fi
if [ -z "$(mount | grep /www/notification.js)" ]; then
    mount -o bind "$NOTIFILE" "/www/notification.js"
fi

It might be necessary to run 'service restart_httpd' after running the script.
If you leave the created file in the jffs directory it should survive a reboot but the bind won't, so you can either link to, or just put the whole thing in jffs/scripts/init-start.
To undo the changes it makes, you can run the command 'umount /www/notification.js', and delete the file/directories it made.
Click to expand...

fwiw, Skynet includes this functionality by default disabling WAN access to the GUI/SSH. Although not as flashy with the alerts, it posts to the syslog instead.
 
Adamm said:
fwiw, Skynet includes this functionality by default disabling WAN access to the GUI/SSH. Although not as flashy with the alerts, it posts to the syslog instead.
Click to expand...

“..includes this functionality by default”; so this is in addition to Secure Mode and functions even if Secure Mode is off? Or perhaps it’s part of Secure Mode and that’s on by default, which would make more sense?
 
Last edited:
martinr said:
“..includes this functionality by default”; so this is in addition to Secure Mode and functions even if Secure Mode is off? Or perhaps it’s part of Secure Mode and that’s on by default, which would make more sense?
Click to expand...

Yes this feature is part of secure mode which is enabled by default, which will actively prevent insecure settings from being enabled. Not to take away from the OP whose implementation looks aesthetically pleasing.
 
Adamm said:
Yes this feature is part of secure mode which is enabled by default, which will actively prevent insecure settings from being enabled. Not to take away from the OP whose implementation looks aesthetically pleasing.
Click to expand...

As Skynet evolves, who lnows what aesthetic pleasures await?

By the way, was secure mode always on by default, or had the user to enable it when it was first introduced? (I thought I had to enable it originally, but my memory is dodgy.)
 
Looks like a firmware update changes the dictionary references and breaks things horribly. I've updated the script to add the last modification date to the end of the js file as a comment, and replace it if it doesn't match the stock version.
 
Just realised that if the js file is already mounted then the timestamp of the modified file will be used rather than the original, resulting in the file being pointlessly recreated. Switched to using the css file timestamp instead (should be the same or ~1s off). Possibly a pointless change since it'll always be unmounted when init-start is run but a bug is a bug. If you also modify the css file for some reason you should pick another file from the www directory.

Code: 
TIMESTAMP="$(date -r "/www/notification.js")"
to
Code: 
TIMESTAMP="$(date -r "/www/notification.css")"
 
You must log in or register to reply here.

Similar threads

P
How to run a script in JFFS?
Replies
0
Views
2K
Patrick van Bavel
P
Similar threads
Thread starter Title Forum Replies Date
N Script to add route after a VPN client connects Asuswrt-Merlin 2
chetstone Which user script to use to start a daemon at boot-up? Asuswrt-Merlin 3
M name.com DDNS update script Asuswrt-Merlin 0
S prevent a jffs script to be run twice in parallel Asuswrt-Merlin 1
L dynamic cgnat ip is changing correctly with ddns custom script but shown ip in web interface never changes Asuswrt-Merlin 4
saison2023 Any way to disable/prevent start of a script without uninstalling it ? Asuswrt-Merlin 4
K Solved How to insert a startup script for Merlin custom scripts Asuswrt-Merlin 16
E Cloudflare ddns-start script Asuswrt-Merlin 6
S script to use AC86U's WakeOnLan Asuswrt-Merlin 8
M deSEC DDNS update script Asuswrt-Merlin 4

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,233 (members: 15, guests: 1,218)
Top