Router set up for Octoprint


#1

I need help setting Pi / Router for internet access

created portforward for 80 to 80

I have fixed ip address.. also I can access Octoprint from internal network with local log on


#2

Sorry, but this would be a terrible idea. Your firewall/router is defending you from hackers all day and all night long.

I setup a new server at Linode.com and within the first fifteen minutes of that website being up I was watching the web logs. Sure enough, hundreds of lines of scripted hacking started coming in, directed at port 80.


#3

If the only thing listening on port 80 is Octoprint (via a reverse proxy), it is of course a security risk like any open port but if the reverse proxy runs as non-root and Octoprint, too, runs as non-root, then for most practical purposes I'd consider it a relatively safe setup. The question is then mostly whether Octoprint (well, and its web-backend) is particularly vulnerable to hacking attempts.


#4

OctoPrint exposes an unfiltered communication channel to a device that has multiple software controlled heaters. How much can you trust that firmware? I trust my printers that they don’t misbehave under normal use, but I would never want to risk allowing the internet accessing it.

Even if OctoPrint itself is relatively secure, a breach is just a poorly thought out plugin away.


#5

Even though the pi user isn't root, it has been blessed by a variety of tweaks by Guy to allow it to do updates, for example. I run a variety of scripts from the Control tab which have access to the GPIO pins and I don't recall needing to sudo that or if I did, don't recall having to supply the password. In no way would I expose a Raspberry Pi to the Internet and especially port 80 on this.


#6

It obviously shouldn't run as user "pi" but as a user with no particular privileges. Standard security procedures apply, of course, but otherwise exposing a Raspberry Pi to the Internet should be no different than putting a regular web server online.


#7

In short, should only be done if completely necessary since the desired use case can't be implemented in any other way (e.g. through a VPN) and only by someone who knows what they are doing.

OctoPrint is designed to run in a more or less secure and trusted LAN, not the WAN. That's what it was made for. You wouldn't make your paper printer or your house automation system or your radiator control publicly reachable from the internet without additional security measures (I hope), so you also shouldn't do that with your 3d printer. A ton of people do regardless, but just because a ton of people do that doesn't make it a wise choice.


#8

Yes. Hence my original comment that for the most part it boils down to how secure OctoPrint is.

I expose my OctoPrint computer to the Internet, too, but via an Apache-based reverse proxy that includes Apache's authentication mechanism (that is, it requires a user and a password).


#9

I do my best, but I can't guarantee anything, and this is also not an appliance that should ever be put on the WAN (the attack vector here is not just OctoPrint, and you really don't want to expose the Pi busy driving a multi hour print job to DDOS attacks either). Put additional measures in front that were created for securing and limiting access to stuff like that, and one layer above whatever you want to secure! Ideally don't ever expose that service (or any other services in your LAN really) to the internet but instead use a VPN if you need external access.


#10

This is only part of the story here. Apache httpd is subject to zero-days too, and so is whatever other process is listening on a port exposed to the public. The fact of the matter is, there is really no good reason to put OctoPrint anywhere near the public internet. I can't come up with a single reason to risk the compromise of the thing that has the ability to burn down my house. One of the arguments that keeps coming up on that note is "but the firmware has protections built in". This is plain ignorant to believe. The fact of the matter is, a new firmware can be flashed to the printer over USB, and if your pi is compromised, all bets are off.

If you're using basic auth, I really hope you have rate limiting setup to prevent brute force..... I'd recommend you switch to client certificates for authentication, or... put a VPN in front of your OctoPrint instance...


#11

I'm starting to wish we could write a bot that directed this question to the FAQ entries about it before posting, since it comes up at least once a week, and it never seems anyone has found the entries about why this is a Bad Idea(tm). It scares me that we, as a society, are doing such a poor job of educating the masses about the very basics of network security (even just enough to avoid them walking around the internet naked, with a neon sign flashing above their head that says, "Check this out!").


#12

I'm hoping that foosel will pin the Guide that I created yesterday on the subject.

I was actually considering writing a bot to walk the Internet, look for naked OctoPrints and create a list of them. I suppose the next thing to do would be to walk the list and change something like their page's title to be a bit.ly URL to that page. But of course, that would be hackerish and bad.


And then again, what if we put the list somewhere and OctoPrint (or a plugin) looks up its own public IP address on that list and then warns them, if found?