Restrict View for users not loged in


#1

I run a otcoptint-server on my printer for some weeks. It works fine using octopi and is allways updated to the newest version of octoprint.
I have installed a DynDNS-connection to be able to connect from the outside, i do these connections either with a browser or an adroid-tool named OctoRemote.
I think about a way to disable the view of temperatures, setting and webcam on a remote system when the connector has not used the login to legitimate himself.

I have searched the settings and addons, bjut i did not found a setting that can restrict the view for a user that has not used the login function.

My Octoprint is running with octopi 0.14, runs on a Raspberry Pi 2B.

Thanks for your help

Hartmut


#2

I believe you are asking for trouble (malware, porn, etc.) if you allow any access from non-logged in users. Yesterday, my firewall dropped 2314 attempts to penetrate my network, and port 80 was in the top ten.

Check your router and see if it supports VPN. If so, use that instead and generate keys for those people you trust. You can still restrict their access to OctoPrint functions as desired.


#3

I am using virtual machines since years like the octopi now, and have never got any problems.
Its no good idea to read the firewall drops as "penetrations". When using a connection that has an ip-adress that changes every day, you will allways get many connections to your system, depending on what the ip-user from the time before had done with this address.

I want an easy way to get in connection with my octoprint, i am not sure if using VPN is a bit too much work for my little printer i am not using all the time. The domain is nothing i post on big platforms like facebook, and the ip adress changes every day.


#4

This is going to be technical...

I created an octo-proxy service that I personally use and trust. The network firewall allows an inbound ephemeral port to go to this server. Since it's a proxy, it then shunts the connections sideways to the printer and then back to the original client.

In this initial version, the client is an Amazon Lambda function (since it works with Amazon Alexa). But it could also be an external website or a smartphone app as well.

I would not trust opening up port 80 on your printer via your router's port-forwarding feature or similar. This is just a hacking event waiting to happen even if you do have user-access turned on. The Internet has lists of people's and businesses' webcams that have been hacked and they're shared in dark places out there; don't add yourself to that list.

I created a website on Linode perhaps six months ago and within moments, these script-kiddies (as @b-morgan is suggesting) showed up and started their penetration attempts. These scripts run 24x7 and port 80 is their sweet spot.


#5

@b-morgan and @OutsourcedGuru have it right on the security front. VPN is definitely not overkill if you want to connect from the outside world to your home network - it is the only way to have even the slightest chance that you will keep your network secure.

Any time you have a well known port open on your router, threats who regularly probe IP blocks known to be ISP dynamic customer blocks will flag your IP as a target and then attempt additional, more specific attacks until they gain access. Don't assume that your ever-changing IP address is going to save you - it actually paints a larger target on you.

Many modern, inexpensive routers have a VPN endpoint option, and several models that don't can have alternative open source firmware installed that does. If you really don't want to use a VPN client and insist on opening a hole, use a strong proxy over TLS, with two factor authentication and a signed certificate (not a self-signed one) to gain access to the proxy, and then let the proxy sit between you and your OctoPrint instance. This will probably add a bunch more resource overhead on your router beyond a VPN session, though, unless your router is capable of designating a DMZ port, and you put your proxy on a separate device, in the DMZ. Still, sort of overkill versus just connecting a VPN session to your router, unless you have other resources you need to remotely access and proxy (and most modern consumer firewall/router combos have lost the ability to designate a particular port as a DMZ).


#6

Just want to make absolutely clear here that I'm 100% with @b-morgan, @OutsourcedGuru and @supertaz on this. Port forwards are an accident waiting to happen. Even if it's just a lost print job due to a DDOS attack. Use a VPN or at the very least put a properly tightened down reverse proxy on a different and dedicated machine in front of things you intend to expose to the internet. The internet as a whole should always be considered the most hostile and toxic network that you can imagine.