optools/net/devices/actiontec/README

122 lines
5.7 KiB
Plaintext
Raw Permalink Normal View History

This has been confirmed to work for, at the very least, my own Verizon Fi-OS
Actiontec MI424WR-GEN3I on firmware 40.21.24. It might work on other models as
well, but this hasn't been tested.
No non-stdlib modules are required.
Place your routers credentials in ~/.config/optools/actiontec_mgmt.json
in the following format:
(pay close attention to the quoting)
(minified json is OK/whitespace-insensitive):
_______________________________________________________________________________
{
"ip_addr": "192.168.1.1",
"user": "admin",
"password": "admin",
"ssl": false,
"port": 23
}
_______________________________________________________________________________
IF:
- That file isn't found:
-- A default (blank) one will be created (with secure permissions). All values
will be null (see below).
- "ip_addr" is null:
-- You will be prompted for the IP address interactively. (If you don't know
the IP address of it, it's probably the default -- "192.168.1.1".)
- "user" is null:
-- You will be prompted for the username to log in interactively. (If you don't
know the username, it's probably the default -- "admin".)
- "password" is null:
-- You will be prompted for the password. When being prompted, it will NOT echo
back (like a sudo prompt).
- "ssl" is null:
-- The default (false) will be used.
- "port" is null:
-- The default port (23) will be used.
TIPS:
- You need to ensure that you have the management interface enabled. Log into
your Actiontec's web interface, and:
1.) "Advanced" button (at the top)
2.) "Yes" button
3.) a.) Choose "Local administration" if you'll be managing the device within
the network it provides.[0]
b.) Choose "Remote administration" if you'll be managing the device
outside the network it provides (i.e. over the Internet).[0]
3.5) The "Telnet" options are what you want, ignore the "Web" settings.
4.) Select the protocols/ports you'll be using. SEE FOOTNOTE 0 ([0])!
5.) Click the "Apply" button.
- "ip_addr" can also be a host/DNS name -- just make sure it resolves on your
local machine to your Actiontec IP address! The default, at least on mine,
was "wireless_broadband_router" (can be changed via Advanced > Yes > System
Settings > Wireless Broadband Router's Hostname):
[bts@cylon ~]$ nslookup wireless_broadband_router 192.168.1.1
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: wireless_broadband_router
Address: 192.168.1.1
Name: wireless_broadband_router
Address: <YOUR_PUBLIC_IP_ADDRESS>
- Unfortunately it's a necessity to store the password in plaintext currently.
Future versions may give the option of encrypting it via GPG and using an
existing GPG agent session to unlock (if there's demand for such a feature).
Make sure your machine's files are safe (I recommend full-disk encryption).
[0] NOTE: ENABLING MANAGEMENT CAN BE HIGHLY INSECURE, *ESPECIALLY* IF ENABLING
"REMOTE ADMINISTRATION"! *ONLY* DO THIS IF YOU UNDERSTAND THE RISKS
AND HAVE ACCOUNTED FOR THEM. TELNET PASSES CREDENTIALS IN PLAINTEXT
BY DEFAULT, AND IF SOMEONE NASTY GETS THEIR HANDS ON YOUR DEVICE'S
CREDENTIALS THEY CAN DO *VERY* NASTY THINGS. I REFUSE ANY AND ALL
LIABILITY YOU OPEN YOURSELF UP TO BY ENABLING THIS. AT *LEAST* USE
THE "USING SECURE TELNET OVER SSL PORT"[1] OPTION.
YOU HAVE BEEN WARNED.
[1] NOTE: Even if using SSL, it's HIGHLY insecure and not to be trusted. The
key has been leaked (as of 2018-04-12):
https://code.google.com/archive/p/littleblackbox/
and it uses VERY weak ciphers, at that:
_____________________________________________________________________
| ssl-cert: Subject: commonName=ORname_Jungo: OpenRG Products Group/|
| countryName=US |
| Not valid before: 2004-06-03T11:11:43 |
|_Not valid after: 2024-05-29T11:11:43 |
|_ssl-date: 2018-04-12T09:42:22+00:00; -1s from scanner time. |
|_ssl-known-key: Found in Little Black Box 0.1 - |
| http://code.google.com/p/littleblackbox/ |
| (SHA-1: 4388 33c0 94f6 afc8 64c6 0e4a 6f57 e9f4 d128 1411)|
| sslv2: |
| SSLv2 supported |
| ciphers: |
| SSL2_RC4_128_WITH_MD5 |
| SSL2_RC4_64_WITH_MD5 |
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 |
| SSL2_RC4_128_EXPORT40_WITH_MD5 |
| SSL2_DES_192_EDE3_CBC_WITH_MD5 |
| SSL2_RC2_128_CBC_WITH_MD5 |
|_ SSL2_DES_64_CBC_WITH_MD5 |
|___________________________________________________________________|
It's generally probably not even worth it, to be honest. You'll get
more security mileage out of firewalling off to select hosts/nets.
But, if you insist on having it and using it, you will ALSO need to
install the following module:
ssltelnet
https://pypi.python.org/pypi/ssltelnet