###########################################################################
Hardening toon (complete exclusion of Eneco, for non-Eneco users only)
###########################################################################
Requirements:
1: toon with dropbear installed
2: connection with private network (no WAN)
When toon is set up completely, in the tab “Internet” toon states to
be connected to the service center. The service center consist of a
bunch of websites and other services, accessed through a VPN tunnel,
managed by Quby, under the flag of Eneco. Each toon connects to the
service center through an OpenVPN tunnel, with TLS security
enhancement. Even if you do not have an Eneco account, toon will send
data to Eneco on a regular basis. According to Eneco, no energy usage
(gas and electricity) data are uploaded –which is true– but boiler
settings are transmitted every hour. No idea why, by the way. Besides
through the OpenVPN connection mentioned earlier, toon phones home
with ping and the chrony daemon.
##### Disabling OpenVPN: #####
The OpenVPN connection is disabled by simply not starting OpenVPN,
through commenting out the openvpn line in /etc/inittab:
#ovpn:2345:respawn:/usr/sbin/openvpn –config /etc/openvpn/vpn.conf –verb 0 >/dev/null 2>&1
This shuts off openvpn effectively. In the internet tab you will now
get the message “Connected to the internet” or something along these
lines. You will also get a warning message that internet has not been
set up correctly or setup has not yet been completed. You can safely
ignore these warnings.
After toon has been rebooted (don’t do that yet!), if you have a toon
with qt-gui, you can suppress the warnings issues by toon, about not
being able to reach the service center, as follows (thank you, al_n!):
Locate the file
/HCBv2/qml/apps/internetSettings/InternetSettingsApp.qml, and look for
the following code (line 365 or thereabouts):
onNotificationReceived : {
var statemachine = message.getArgument(“statemachine”);
if (statemachine) {
var prevSmStatus = smStatus;
smStatus = parseInt(statemachine);
// add the following two lines of code:
// added by al_n (20151220):
if(smStatus == _ST_INTERNET) {
smStatus = _ST_TUNNEL;
}
//
// continuation of original file:
// Trigger the internetStateChange signal, used by the internet settings overview screen
internetStateChange(smStatus);
…. etc.
This will interpret a working internet connection as a connection to
the service center, and thus warnings are suppressed.
##### Disabling the time service access to time.quby.nl: #####
Toon keeps track of time through the chrony daemon. To set the clock
at startup, and to keep it synchronized with the rest of the world,
toon uses the time server of quby: time.quby.nl. This server name is
set in /etc/chrony.conf
Locate the following two lines in chrony.conf:
server time.quby.nl minpoll 8
and
initstepslew 30 time.quby.nl
and replace the server name by another time server. I use
wwv.nist.gov instead of time.quby.nl
since it has the same (short) server name length (you never know if
and how the chrony code was hacked by quby), is accessed by many clients
across the globe, and has proven to have a good level of stability
over many years of service.
Note: the time protocol (tcp/udp port 37) is something else than the
network time protocol (ntp, udp port 123). You will need a time
server, not an ntp-server.
##### Disabling pinging quby.nl: #####
Toon pings the quby ping server every so many seconds. This is done in
/HCBv2/sbin/hcb_netcon. The ping server address is unfortunately
hard-coded in hcb_netcon, so to disable this, you will need to reroute
ping requests to another machine. You can’t switch it off easily.
To reroute, edit the file /etc/hosts.template and add the line
127.0.0.1 ping.quby.nl
at the end of the file, and save it.
Test whether your rerouting works by pinging quby:
eneco-001-xxxxxx:/# ping ping.quby.nl
PING ping.quby.nl (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=1.108 ms
64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.738 ms
64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.658 ms
This indicates that the ping requests for quby are redirected to
localhost (IP 127.0.0.1). Thanks, RDNZL, for pointing this out!
Reboot toon for good measure. Now you can go edit the service
InternetSettingsApp.qml file, as explained above.
All done. You have now severed all connections between toon and Eneco
(quby), and can safely connect it to your wireless network again.