OctoPrint exposed


#1

Interesting article... make sure you guys are securing your octoprint!


#2

That's amazing and scary.

@foosel If it were me, I'd pin this somewhere.


#3

having messed with haproxy to provide an odd port to be forwarded for remote access, and apache2 only listening to port 5000 on the local host, not the active network interface(s), Unless you have put your machine into the DMZ and bypassed all firewalling, this shouldn't be an issue.


#4

I use OpenVPN so mine is not directly exposed.


#5

Yeah, I configured my haproxy to only allow connections over ssl with a user cert signed by my own cert authority, so without the correct type of cert you can't connect.


#6

So to action this post - what should we be doing to secure an OctoPrint installation, what defines an "open" installation, what's the best solution to have a remotely accessible session to your 3D printer to view/control etc?


#7

Can you do a write-up of the technique at some point for the new Guide thread on the subject? If so, thanks.


#8

(Same request)

Can you do a write-up of the technique at some point for the new Guide thread on the subject? If so, thanks.


#9

I did a write-up yesterday to include some known techniques for doing this safely.

Guide thread


#10

I might be able to get around to doing so this weekend, but I mostly just followed the guide here.


#11

I'm not going to do this because frankly I have a bit of a bad feeling about this article. I checked Shodan myself (I actually do this fairly regularly, which is why I keep sounding like a broken record to not just blindly do port forwards ;)). With an IMHO sensible search I can't find even remotely the number of instances they claim (more like a tenth of it), and that combined with some of the wording makes this feel a bit too sensationalist. The original diary entry from a day before also made it sound like it was the fault of the software, not of users happily opening holes in their firewalls for any kind of service, and that also leaves a decidedly bad taste with me.

I'm going to push a blog post about the general topic of securing OctoPrint in the near future, but that will take some more days.


#12

Thanks.

As a long-time I.T. Manager, I know how many people simply don't understand the potential risk. I spent too much effort "plugging holes in the dike", so-to-speak.