Tighter security

What is the problem?
If I make my OctoPi publicly visible then anyone can see my webcam stream etc.
Is it possible to set OctoPrint such that only logged-in users see anything, everyone else just gets a login page?

What did you already try to solve it?
I checked all the security settings.

Additional information about your setup (OctoPrint version, OctoPi version, printer, firmware, octoprint.log, serial.log or output on terminal tab, ...)

1 Like

Hi @SpiderKenny :slight_smile:

Making your OctoPrint instance publicly available isn't a good idea. There are many ways in which you can safely access your instance remotely, without exposing your installation to the public internet.

Checkout OctoPrint.org - A Guide To Safe Remote Access of OctoPrint and https://discourse.octoprint.org/t/access-your-octoprint-remotely/3628/11 , there's a lot of information there to get you setup :slight_smile:

Cheers!

2 Likes

This is a recurring theme. While I agree that "us" (the end user) should take steps to secure their own install I also feel that the landing page of octoprint should be a log in screen. Just like every other web appliance in the world.

Nothing will change my mind on this.

To me, this is like saying "If I stored my keys in my car's ignition instead of in my pocket and then park it over on some dodgy corner of East Village, anyone can see my keys through my window and I'm worried they might steal it. Is there any way of tinting my windows by default so that they can't see through them?"

Publicly-visual is visible publicly.


Local Security of Home Page

@pingyon Why don't you guys rally together, crowdsource some money, throw it at foosel and have her work on changing the not-logged-in state of the home page (when you've turned on User Access)? This would be useful for libraries, public schools and places where you can't control your private network otherwise.

I personally wouldn't benefit from this, though. I completely control my own private network and have no fear in that regard.

1 Like

It's a webserver! It's supposed to be public facing!
A simple login page before anything else would go a long way to making this more usable.

@SpiderKenny

I'm old. I pre-date the Internet. Back at the Pentagon (a teletype/crypto shop), we were on the DARPANet. I pre-date websites. I used Lynx and Gopher. We were responsible for preventing the Russians from finding out what Caspar Weinberger had for breakfast. We had core memory; you could actually see the bits.

The original webservers were made for the Internet itself. As a software developer for almost four decades now, I can tell you that I've made webservers for things you couldn't even imagine. Today, I'll be making a webserver for a robotic tank project and no, it won't be available on the Internet because that would be just stupid and reckless.

There's such a thing as "audience". Who is the audience for my private 3D printer? I am the audience and nobody else. It doesn't make sense putting it out there for the 7 billion people on the planet of which over 1 million of them write malware. On average, it takes no more than a five-minute window for the next running script to reach your open server's port and to then start its collection of 300 or so URLs to classify which webserver you're running and then to test it against REST endpoints which you didn't even know existed.

The average open-sourced software (to include webservers) has perhaps a 90%-dependencies ratio against your own written code. For every one line of code you write, you've brought in nine lines of code that somebody else has written. Every week I have to maintain my 80+ repositories because one of those dependencies now has a newly-discovered vulnerability. And if my dependency has a vulnerability, my project has that same vulnerability in most cases. And if my project is a dependency for someone else's project, they do too.

If you want the Internet to access your 3D printer, then write a blog post and publish its URL.


That said, there are public schools which are now teaching STEM in the classroom. Kids being kids, it probably wouldn't hurt to limit access to 3D printers which are behind a firewall and yet at-risk to internal hacking attempts.

1 Like

You see, that's the thing. I do want my audience to be world-wide, but I also only want access to those who have a username / password. I suppose I could just add a third party cloud based access thingy - but that's another layer, when a simple "not logged in, not seeing anything" page would suffice.

1 Like

It's a webserver! It's supposed to be public facing!

Actually it isn't, OctoPrint was originally designed with only local access in mind, it wasn't originally intended to be used across the internet. People have just started using it that way without considering its originally intended use.

Since people insist on using it across the internet though, better user permissions are in the works that will allow you to set it up so that non logged in users will only see a login page.

I still don't know why people are so intent on opening up their 3d printer to the internet, I sure as hell don't want anyone touching mine, I might stream the webcam feed but that's it, the actual control pages stay well hidden from everyone but me. I wrote a small javascript overlay to put into obs along with the camera feed that gives the status of the print (because I just know you're going to say "because I want people to be able to see how far along the print is"), only the information that I want people to see, gets seen.

3 Likes

Having walked through some of the compromised OctoPrint installations remotely, one big problem that I see is when they also add plugins like the PSU control and TouchUI. Remotely, you can then toggle the TouchUI interface and it looks like you have more access to OctoPrint even if you're not logged in. In other words, the User Access might be giving you a false sense of security as the owner. And if I remotely could toggle ON/OFF your PSU, that's a bad thing, right?


Perhaps fifteen years ago I actually owned and operated a datacenter. I made money by hosting websites and databases for customers. Almost all of the websites those days were based upon Microsoft IIS Server as the webserver. We thought it was safe as a platform. Only ports 80/443 were allowed to the webservers from the firewalls. Safe, right?

I noticed some funny business going on in one of the weblogs. Someone had noticed that you could simply append "::" to the end of an ASP page's URL and the server would get confused and return the content of the page instead of running it.

Another time, I saw some hacking which involved actually invoking the command shell with a query which looked something like:

http://www.serername.com/some/path/../../../../../windows/system32/cmd.exe?dir

And, believe it or not, this actually worked. IIS dutifully climbed up the file system path until it found the root, then walked down in the SYSTEM32 folder, RAN CMD.EXE and returned the results back to them all the way to China.

So I had to actually program an ISAPI filter to take out these hacking attempts so at least I had a solution two days before Microsoft was able to provide a security release to fix it.

Morale of the story: the Internet isn't safe. Webservers—and especially open-sourced ones—are well understood by hackers and can have vulnerabilities which are unknown to you and to the author. Processing power is cheap. They can send a thousand attempts in order to try to brute-force a password or to try everything to get in.

I'm working on backporting this from the devel branch. But that won't make it impossible for anyone to access your webcam if you've forwarded this along side OctoPrint. OctoPrint doesn't control the webcam. It can't control access to something it doesn't control but merely embeds. So this will still be a huge problem of mostly user education.

I've been sounding like a broken record for years now on this topic, and sometimes even have been ridiculed for advocating for safe setups ("Hah, what could happen, don't be absurd"). You just don't put a physical device located in your home on the public internet. You don't. Never. You also don't put your home automation system online, or your radiator, or your lamps, or your paper printer. All those devices these days will have a built-in web server. That only means they are listening on a port that speaks HTTP, not that you should happily put them online for everyone to access.

2 Likes

I appreciate the effort foosel and am glad to hear this.

I dunno. You need to make money, @foosel. You might consider a "Pro" version of OctoPrint which does just that and then charge a one-time fee of... $50 per instance for it... or a site license of $250 or something.

To me, open source is more like "I've made something that works for me and I'm sharing it to you for free". It seems like too much to then add "I'm willing to make you something that works for your needs for free and to support it for free as well". As consumers, we're used to "if I do something for you, you pay me". All this... "change OctoPrint to suite me" sounds like bespoke/custom work. People should consider opening up their wallets for something like that.

You're a nice person and I know that some people could benefit from tightening the security. I'm going to weigh in on the side of "you should be paid for the 20% part". (I'm referring to the 80%/20% rule of software features, not to be confused by the Pareto rule. "Make the software work well for 80% of the people; the other 20% will likely request features that are too specific to be economical.")

lol.

A basic feature that has been over looked because the use of the product was not fully realized during the inception is hardly "custom work".

Im not denying that foosel should be paid for making a great product but I implore you to show me ANYTHING out there that has a http front end that doesn't have a login screen as the landing page.
Like it or not Octo is being treated as a web appliance by a good base of its users.

Just because it is, doesn't mean that it should be. These are two very different concepts.

show me anything else like it that doesnt have a login screen as its landing page.

Not really sure what you're trying to prove here. The official recommendation is not to forward ports. Period. Whether or not a login page is the default landing page of other applications is highly irrelevant. The fact of the matter is, OctoPrint is something that should not be on the public internet. It's already been pointed out that this is something being worked on, so I'm really not sure why you're still arguing that point.

@pingywon

Again, "audience": Anything assumed to be inside your private network and which has a web interface by default doesn't have user access turned on. I think you're mis-categorizing OctoPrint.

There are many webservers like Apache which were created from the moment of the original design as something that would be on the Internet and at-risk to hacking. That's the default mode.

As an I.T. Manager, I've created countless public-facing and Intranet-based websites and I was always responsible for their security. I made some of the original websites. I'm the person who had to tell management what a website actually was and what a domain name was. These were the days when nobody had a personalized domain name; if you had an email, it was decorated by @aol.com or something like that at the end.

Imagine if you had to log into your toaster in order to drop in a slice of bread. That would suck. Imagine now if you had to log into your HP OfficeJet printer in order to scan a document. Likewise, that would suck. But admittedly, there are $30,000 office printers at law firms (where I worked) which make you not only log in but then select the client who needs to be billed for the consumables you're about to use. But that's the other 20% I've been describing.

@jubaleth funny to me how you argue and then run and hide behind the "it is getting changed already so why are you arguing" argument. I am done addressing you on this matter.

@OutsourcedGuru I do agree with you on mostly all counts. I think the steps foosel is planning to take will be a good step forward for Octo, and I am more than happy to contribute financially to her efforts. Not for this change mind you, but for Octo as a whole.

Could you share that javascript you made for OBS?