Securing & Optimising your CM68 / Catalyst Control Board
This documentation will run you through the process of adding some basic security to your control board.
Last updated
This documentation will run you through the process of adding some basic security to your control board.
Last updated
Please Note: This is not intended to be an exhaustive guide on linux, I am not a security expert neither am I a linux engineer, there may still be security holes and optimisations that can be made and I am open to discuss and add more to this document.
When you first login to your board for the first time you will use the following credentials: Username: linaro Password: linaro My printer's default name on the network was voron-02-pro.local. You will be presented with the following welcome (MOTD) message on login:
Before you move forward, the first thing you need to do is change the password for the user `linaro` you can do this by running the following command in the command line:
followed by your existing password, and then your new password (twice), press enter to submit, nothing will be displayed when typing your passwords. You should see the following
What is Sudoers? The sudoers file is typically used to allow a user to execute commands as a different user by default this requires a password, however in the Fysetc installation this is disabled, and will need to be re-enabled. You can read more on sudoers here. To secure your sudoers file type the following command into your terminal:
You will be presented with a text editor (Nano) where you can scroll using your arrow keys until you find this line:
In simple terms, this line allows anyone within the sudoers group to execute commands as any other user without authentication. You will want to change this line to:
Save & Exit nano using keyboard shortcuts CTRL+X then hit Enter to save and exit.
Your sudoers file is now secured and your user will be prompted to enter their password when executing commands.
To download the latest operating system updates (including security patches) type the command sudo apt update followed by sudo apt upgrade, when prompted, press Enter to continue.
Depending on how out of date your OS is this may take a while to complete.
When using the sudo command by default you will always be presented with an error such as sudo: unable to resolve host voron-02-pro: Name or service not known. To fix this simply type sudo nano /etc/hosts to edit your hosts file, paste this line at the bottom of that file:
Exit & Save using the keyboard shortcut CTRL+X followed by Enter to save & exit. The error should now be gone when using the sudo command.
As part of this guide we're going to uninstall everything installed by default under the linaro user, to do so we're going to open up Kiauh (Which is pre-downloaded in the default image), do this by running the following command.
You will most likely be asked to update Kiauh, press Y and Enter then re-run the above command to re-enter Kiauh, you will see the following screen:
By default you will also have KlipperScreen, Telegram Bot, Crowsnest, Obico, OctoEverywhere etc. We want to remove ALL software currently installed, do this by typing the number 3 followed by Enter.
Now simply type the respective numbers and press Enter to remove the software 1 by 1, We want to remove everything that is installed including Klipper, Moonraker & Mainsail. Also remove PrettyGCode, this doesn't show in the installed list but it is by default. Do not uninstall NGINX, this is required later.
Once you press Enter you will be prompted with several questions to confirm, type Y followed by Enter to continue removing software, you maybe prompted for your password.
Now you can exit Kiauh by typing Q followed by Enter.
Services are programs running in the background of your installation, these generally start when the system is booted so we're going to find them and remove them (along with any potential security threats).
If you run the command netstat -tnlp you will be given a list of open ports and their state, we're filtering for listening ports at the moment and we see the following:
Whilst most of these are probably fine we should only be seeing 2 now, Ports 22 for SSH and 80 for NGINX (webserver).
So we will run the following command to get a list of all running services on the system:
You should see a list that looks something like this:
Many of these services can be disabled completely, freeing up system resources and further securing the installation. To disable a service we use the command systemctl disable –now <process.service> this issues an immediate stop command, along with a disable command to prevent the service starting back up after a reboot.
The following list of commands can be ran to safely stop & disable the services:
You can now reboot your system using the command `sudo reboot`.
After a reboot re-running the command systemctl list-units –type=service –state=running should show a much smaller list of running services.
Now running the netstat -tnlp command from earlier, we should only see port 22 as open:
And now the system is cleaned of any potentially nefarious services, and we should also see a significant gain in performance, for me my default memory usage dropped from 140MB to 90MB at idle (After installing klipper again), which is quite the improvement.
Now that we have removed and cleaned the system of any unwanted software we can begin setting it up again.
Add a new user I prefer to add a new user to the system, this separates any existing files/configs etc owned by the linaro user and gives us a clean slate to work from. I prefer to keep my user as pi for consistency across all of my machines, but you can choose any user you wish.
Create a new user using the following command:
You will be asked for a password and to confirm it, followed by a series of inputs. You can leave them all blank and hit enter to skip them:
At this point type Y and press Enter to add the user.
Next we want to add the user to the sudo group, to allow it to execute sudo commands, you can do this by running the command (Replacing pi with your desired username).
Once complete you can now logout of the linaro user using command exit and reconnect to the system using the new user, for example ssh pi@voron-02-pro.local and authenticate using the new password provided above.
You will now be logged in as the new user pi in my case, with an empty home directory.
Now we want to install our printer software again, this guide will only cover the installation of the basic requirements (Klipper, Mookraker & Mainsail), you can find out more about installing services using Kiauh here.
To download kiauh simply paste the below command into your terminal:
Begin by installing Klipper, type 1 then Enter to enter the install menu, followed by 1 then Enter to install Klipper.
You will be asked to select your Python version, if you have no reason to use Python 2.x press Enter to continue with the pre-selected option.
When asked how many instances of Klipper to install, press Enter to confirm just 1 instance. (The CM68 probably won't cope with more).
Once you have pressed Enter, the installation will begin, depending on your connection speed this may take a few minutes.
You may see the following prompt, type Y and press Enter to proceed.
When the installation has completed you will be given the following prompt and returned to the Kiauh install menu
Moonraker is the API that interfaces between your front-end (Mainsail in this document) and Klipper, press 2 and Enter to continue.
When prompted, press Y and Enter to install Moonraker.
Wait for the installation to complete, this shouldn't take as long as the Klipper install but is dependant on connection speed & system load. When complete you will see the following prompt and return to the Kiauh install menu.
Once Klipper & Moonraker are installed type 3 followed by Enter to install Mainsail.
You will be prompted to install additional client macros.
type Y and Enter to continue.
When prompted, the mainsail installation has been complete, and you will be returned to the Kiauh install menu.
Type B then Enter to go back, then Q and then Enter to quit Kiauh.
And thats it! You're done!
This will download the latest version from the Kiauh GitHub repository.
Once the download has complete you can then enter Kiauh using the following command ./kiauh/kiauh.sh. If you are given a permission denied error on /tmp/kiauh.log simply run the command sudo rm -f /tmp/kiauh.log and re-run the last command to enter Kiauh, this could be a left over log file from the linaro user that pi doesn't have access to.
You should see a fresh Kiauh console like so:
You now have a fresh install of Klipper, Moonraker & Mainsail that you can begin using immediately, using your desired browser go to the URL of your printer, this could be the hostname (by default voron-02-pro) or the IP Address, for me this was http://voron-02-pro.local.
You should now see a fresh installation of Mainsail, note that there will be an Error as we have not configured anything as yet.
