Could I stop all announcements by deleteing the xml file "http://octoprint.org/feeds/important.xml" as I dont need or want to update anything ever. My Octoprint version is 1.3.4?
On mine there is no option to turn off "important announcements" Its grayed out. were you able to do that in later versions?
Nope - not with 1.4.0 - sorry for the misreading
The irony of never updating eh
You could not connect the OctoPrint instance to the internet so it cannot get new notifications, which is the only safe thing to do anyway if you don't update anything.
I seriously dont think anyone is going to hack a pi print server, the thing has been running for about 5 years and I havent even changed the ssh password. lol. Is there a way to stop it going on the internet beyond my local router?
Until someone does and sets your house on fire...
I'm glad you find it funny. I am not kidding. No matter how small the chances that someone hacks your pi printer server, once they do they have access to a heater element and a PSU that can be used to set your house on fire.
Unless you (1) update your software AND (2) know what you are doing (which, frankly, you don;t seem to), I would seriously reconsider having your pi connected to the router in the first place. If your router has a firewall, you may configure that to block any and all traffic to and from your pi print server. Or got good insurance, that might be easier.
What triggered you into being so rude and obnoxious to me, you added "(which, frankly, you don;t seem to)" I think that was a little bit unececary since all I did was ask a question that you didn't even know the answer to either! Forgive me if you are autistic but unless you have an answer dont reply with such a snotty tone when you obviusly are not qualified to do so?
I am sorry I came across snotty or obnoxious, especially if that means you are less likely to take my advice.
I stand by my words, and hope you stay safe.
Field of View was trying to get across the important point that even if you have never been hacked, only have your octoprint server on your local network etc. Changing passwords, getting announcements about security updates is an important part of running any electronic device these days. It does not take long to break WPA2 security as it is broken (even the just coming out WPA3 has been shown to have vulnerabilities) and then see there is an octoprint device on the network, and takes milliseconds to try the default password. (not to mention all those IOT devices people have) It probably will never happen but for the sake of 10 seconds to change the password...... It is sad, undesirable but unfortunately that is the way of the world. Having got that out of the way ....
One way you could block the Pi (is it a pi, lets say octoprint server) connecting to the internet is at your network gateway, this is probably a router as I suspect if you were running a full blow firewall (like myself) you would know the answer 
You would need to look at the instructions for you router to see what features it has and how to access them. What you want to do is stop the Mac address and/or IP address (which would need to be fixed lease if Dynamic) from going through the gateway.
You could remove the default gateway but that sometimes causes issues with inbound network traffic.
2 other choices include setting up the firewall on your octoprint server (although that does have the disadvantage that you will have to reset it up each time you do a major change) or installing a firewall (I recommend IPFire a fork from IPCop).
Edit: Quick check and iptables is installed by default on Octopi 1.4.0, your software might vary.
The last thing I'll say is that it can often be a good strategy not to update software when you have a thing that is working. However, this is not true for most things that are connected to the internet, especially if those things are controlling potentially hazardous devices. Updates are needed to keep you safe.
If it was a functional update then I don't mind. Anything connected to any sort of network, internet or internal, consumer or commercial should be updated if the update is a security update is available This is because of the IOT devices on peoples networks which will phone home and do who knows what.
But then I do this for a living (design them, not admin them).
Something like (Use at own risk)
$ iptables -A OUTPUT -p tcp -d 192.168.1.0/24 -j ACCEPT
$ iptables -P OUTPUT DROP
on a unix system, where 192.168.1.0/24 is you local network, this would need to be called in the start up scripts to do this everytime. Bearing in mind if you get this wrong you might not be able to connect to octoprint any more. So make sure you test it before you make it part of the boot sequence.
The above switches the default outbound policy to drop all traffic. Then there is a rule to allow outbound traffic if the destination is the local network. Bear in mind if you do things like upload timelapses to dropbox, that will also be blocked. It is only blocking tcp, it will still allow udp (e.g. older dns) and icmp (e.g. ping)
There is a known vulnerability in the version of OctoPrint you use:
As far as it has been disclosed, anyone that can access the weinterface can gain admin rights. Admins can install additional software to your Pi, through which they can gain access to the underlying system without needing your ssh password.
2 Likes
@modrel It has been pointed out that the version you are running is not only outdated but actually contains a severe vulnerability. If you don't want to update, that's on you of course, but we also don't give support here for software that's ancient - I frankly have enough on my plate with giving support for the current releases.
And thanks to people like you around two years ago I got to spend a week fielding questions from journalists from various IT news outlets right in the middle of untangling a joint household of 16 years, since - suprise! - people DO hack pi print servers, fridges, light bulbs if they get the chance to, and there are search engines like shodan.io that make it trivial to find them if they are accessible via a public IP. And you downplaying that risk is probably what made @fieldOfView (and now me) say that you don't seem to know what you are doing. @fieldOfView btw happens to be seriously qualified to talk about these things.
Disconnect your instance from the internet and that's it, no more announcements (and no risk at least from your ancient OctoPrint instance). Alternatively disable the announcement plugin and live with the consequences. Important announcements can intentionally not be disabled and I will never change that - they rarely if ever get used, and if so it's either due to severe security, stability or project future situations.
3 Likes
For the record, I do understand where @modrel's remark towards me was coming from. I take no offense from it. I am sorry my tone was somewhat harsh, and perhaps contraproductive.
Security and safety are serious matters. We try to be supportive here, but if I see someone in the process of shooting themselfes in the foot, I really feel I have to try to prevent that, even if that someone seems to think shooting the aforementioned foot can do no harm.
nah everything you said was fine
the only snotty person here was that guy
I appreciate what you are saying, but lets stay welcoming and refrain from calling people things.
Enough said. We made our point: either disconnect the 1.3.4 installation from the internet entirely or update it. I hope @modrel stays safe, and is not discouraged from participating in this community.
1 Like