Securing & Optimising your CM68 / Catalyst Control Board

This documentation will run you through the process of adding some basic security to your control board.

Please Note: This is not intended to be an exhaustive guide on linux, I am not a security expert neither am I a linux engineer, there may still be security holes and optimisations that can be made and I am open to discuss and add more to this document.

When you first login to your board for the first time you will use the following credentials: Username: linaro Password: linaro My printer's default name on the network was voron-02-pro.local. You will be presented with the following welcome (MOTD) message on login:

Set a new password

Before you move forward, the first thing you need to do is change the password for the user `linaro` you can do this by running the following command in the command line: 

passwd linaro

followed by your existing password, and then your new password (twice), press enter to submit, nothing will be displayed when typing your passwords. You should see the following

linaro@voron-02-pro:~$ passwd linaro
Changing password for linaro.
Current password:
New password:
Retype new password:
passwd: password updated successfully

Secure Sudoers File

What is Sudoers? The sudoers file is typically used to allow a user to execute commands as a different user by default this requires a password, however in the Fysetc installation this is disabled, and will need to be re-enabled. You can read more on sudoers here. To secure your sudoers file type the following command into your terminal:

sudo nano /etc/sudoers

You will be presented with a text editor (Nano) where you can scroll using your arrow keys until you find this line:

%sudo   ALL=(ALL) NOPASSWD: ALL

In simple terms, this line allows anyone within the sudoers group to execute commands as any other user without authentication. You will want to change this line to:

%sudo   ALL=(ALL:ALL) ALL

Save & Exit nano using keyboard shortcuts CTRL+X then hit Enter to save and exit.

Your sudoers file is now secured and your user will be prompted to enter their password when executing commands.

Update your system

To download the latest operating system updates (including security patches) type the command sudo apt update followed by sudo apt upgrade, when prompted, press Enter to continue.

Do you want to continue? [Y/n]

Depending on how out of date your OS is this may take a while to complete.

Fix unable to resolve host error

When using the sudo command by default you will always be presented with an error such as sudo: unable to resolve host voron-02-pro: Name or service not known. To fix this simply type sudo nano /etc/hosts to edit your hosts file, paste this line at the bottom of that file:

127.0.0.1       voron-02-pro

Exit & Save using the keyboard shortcut CTRL+X followed by Enter to save & exit. The error should now be gone when using the sudo command.

Remove unwanted software

As part of this guide we're going to uninstall everything installed by default under the linaro user, to do so we're going to open up Kiauh (Which is pre-downloaded in the default image), do this by running the following command.

./kiauh/kiauh.sh

You will most likely be asked to update Kiauh, press Y and Enter then re-run the above command to re-enter Kiauh, you will see the following screen:

By default you will also have KlipperScreen, Telegram Bot, Crowsnest, Obico, OctoEverywhere etc. We want to remove ALL software currently installed, do this by typing the number 3 followed by Enter.

Now simply type the respective numbers and press Enter to remove the software 1 by 1, We want to remove everything that is installed including Klipper, Moonraker & Mainsail. Also remove PrettyGCode, this doesn't show in the installed list but it is by default. Do not uninstall NGINX, this is required later.

Once you press Enter you will be prompted with several questions to confirm, type Y followed by Enter to continue removing software, you maybe prompted for your password.

Now you can exit Kiauh by typing Q followed by Enter.

Remove unwanted services

Services are programs running in the background of your installation, these generally start when the system is booted so we're going to find them and remove them (along with any potential security threats).

If you run the command netstat -tnlp you will be given a list of open ports and their state, we're filtering for listening ports at the moment and we see the following:

linaro@voron-02-pro:~$ netstat -tnlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5037 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5555 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:7136 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::7136 :::* LISTEN -

Whilst most of these are probably fine we should only be seeing 2 now, Ports 22 for SSH and 80 for NGINX (webserver).

So we will run the following command to get a list of all running services on the system:

systemctl list-units –type=service –state=running

You should see a list that looks something like this:

linaro@voron-02-pro:~$ systemctl list-units –type=service –state=running

<code>
UNIT                         LOAD   ACTIVE SUB     DESCRIPTION
acpid.service                loaded active running ACPI event daemon
anacron.service              loaded active running Run anacron jobs
avahi-daemon.service         loaded active running Avahi mDNS/DNS-SD Stack
bluetooth.service            loaded active running Bluetooth service
bt.service                   loaded active running adbd for Debian
dbus.service                 loaded active running D-Bus System Message Bus
getty@tty1.service           loaded active running Getty on tty1
NetworkManager.service       loaded active running Network Manager
nginx.service                loaded active running A high performance web server and a reverse proxy server
ntp.service                  loaded active running Network Time Service
packagekit.service           loaded active running PackageKit Daemon
polkit.service               loaded active running Authorization Manager
rsyslog.service              loaded active running System Logging Service
serial-getty@ttyFIQ0.service loaded active running Serial Getty on ttyFIQ0
ssh.service                  loaded active running OpenBSD Secure Shell server
strongswan-starter.service   loaded active running strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
systemd-journald.service     loaded active running Journal Service
systemd-logind.service       loaded active running User Login Management
systemd-networkd.service     loaded active running Network Service
systemd-udevd.service        loaded active running Rule-based Manager for Device Events and Files
triggerhappy.service         loaded active running triggerhappy global hotkey daemon
usbdevice.service            loaded active running Manage USB device functions
user@1000.service            loaded active running User Manager for UID 1000
wpa_supplicant.service       loaded active running WPA supplicant
xl2tpd.service               loaded active running LSB: layer 2 tunelling protocol daemon

Many of these services can be disabled completely, freeing up system resources and further securing the installation. To disable a service we use the command systemctl disable –now <process.service> this issues an immediate stop command, along with a disable command to prevent the service starting back up after a reboot.

The following list of commands can be ran to safely stop & disable the services:

sudo systemctl disable –now bluetooth.service
sudo systemctl disable –now bt.service
sudo systemctl disable –now strongswan-starter.service
sudo systemctl disable –now triggerhappy.service
sudo systemctl disable –now usbdevice.service
sudo systemctl disable –now xl2tpd.service

You can now reboot your system using the command `sudo reboot`.

After a reboot re-running the command systemctl list-units –type=service –state=running should show a much smaller list of running services.

linaro@voron-02-pro:~$ systemctl list-units –type=service –state=running
UNIT                         LOAD   ACTIVE SUB     DESCRIPTION
acpid.service                loaded active running ACPI event daemon
avahi-daemon.service         loaded active running Avahi mDNS/DNS-SD Stack
dbus.service                 loaded active running D-Bus System Message Bus
getty@tty1.service           loaded active running Getty on tty1
klipper-priority-fix.service loaded active running Klipper Priority Manager
NetworkManager.service       loaded active running Network Manager
nginx.service                loaded active running A high performance web server and a reverse proxy server
ntp.service                  loaded active running Network Time Service
polkit.service               loaded active running Authorization Manager
rsyslog.service              loaded active running System Logging Service
serial-getty@ttyFIQ0.service loaded active running Serial Getty on ttyFIQ0
ssh.service                  loaded active running OpenBSD Secure Shell server
systemd-journald.service     loaded active running Journal Service
systemd-logind.service       loaded active running User Login Management
systemd-networkd.service     loaded active running Network Service
systemd-udevd.service        loaded active running Rule-based Manager for Device Events and Files
user@1000.service            loaded active running User Manager for UID 1000
wpa_supplicant.service       loaded active running WPA supplicant

Now running the netstat -tnlp command from earlier, we should only see port 22 as open:

linaro@voron-02-pro:~$ netstat -tnlp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -

And now the system is cleaned of any potentially nefarious services, and we should also see a significant gain in performance, for me my default memory usage dropped from 140MB to 90MB at idle (After installing klipper again), which is quite the improvement.

Setting up the "New" system

Now that we have removed and cleaned the system of any unwanted software we can begin setting it up again.

Add a new user

Add a new user I prefer to add a new user to the system, this separates any existing files/configs etc owned by the linaro user and gives us a clean slate to work from. I prefer to keep my user as pi for consistency across all of my machines, but you can choose any user you wish.

Create a new user using the following command:

sudo adduser pi

You will be asked for a password and to confirm it, followed by a series of inputs. You can leave them all blank and hit enter to skip them:

linaro@voron-02-pro:~$ sudo adduser pi
sudo: unable to resolve host voron-02-pro: Name or service not known
[sudo] password for linaro:
Adding user `pi' ...
Adding new group `pi' (1001) ...
Adding new user `pi' (1001) with group `pi' ...
Creating home directory `/home/pi' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for pi
Enter the new value, or press ENTER for the default
	Full Name []:
	Room Number []:
	Work Phone []:
	Home Phone []:
	Other []:
Is the information correct? [Y/n]

At this point type Y and press Enter to add the user. Next we want to add the user to the sudo group, to allow it to execute sudo commands, you can do this by running the command (Replacing pi with your desired username).

sudo usermod -aG sudo pi

Once complete you can now logout of the linaro user using command exit and reconnect to the system using the new user, for example ssh pi@voron-02-pro.local and authenticate using the new password provided above. You will now be logged in as the new user pi in my case, with an empty home directory.

pi@voron-02-pro:~$

Now we want to install our printer software again, this guide will only cover the installation of the basic requirements (Klipper, Mookraker & Mainsail), you can find out more about installing services using Kiauh here.

Downloading Kiauh

To download kiauh simply paste the below command into your terminal:

git clone https://github.com/dw-0/kiauh.git

This will download the latest version from the Kiauh GitHub repository. Once the download has complete you can then enter Kiauh using the following command ./kiauh/kiauh.sh. If you are given a permission denied error on /tmp/kiauh.log simply run the command sudo rm -f /tmp/kiauh.log and re-run the last command to enter Kiauh, this could be a left over log file from the linaro user that pi doesn't have access to. You should see a fresh Kiauh console like so:

Install Klipper

Begin by installing Klipper, type 1 then Enter to enter the install menu, followed by 1 then Enter to install Klipper. You will be asked to select your Python version, if you have no reason to use Python 2.x press Enter to continue with the pre-selected option.

/=======================================================\
| Please select your preferred Python version.          |
| The recommended version is Python 3.x.                |
|-------------------------------------------------------|
|  1) [Python 3.x]  (recommended)                       |
|  2) [Python 2.7]  (legacy)                            |
|-------------------------------------------------------|
|                       B) « Back                       |
\=======================================================/
###### Select Python version: 1

When asked how many instances of Klipper to install, press Enter to confirm just 1 instance. (The CM68 probably won't cope with more).

/=======================================================\
| Please select the number of Klipper instances to set  |
| up. The number of Klipper instances will determine    |
| the amount of printers you can run from this host.    |
|                                                       |
| WARNING:                                              |
| Setting up too many instances may crash your system.  |
|-------------------------------------------------------|
|                       B) « Back                       |
\=======================================================/
###### Number of Klipper instances to set up: 1

Once you have pressed Enter, the installation will begin, depending on your connection speed this may take a few minutes. You may see the following prompt, type Y and press Enter to proceed.

/=======================================================\
| WARNING: Your current user is not in group:           |
| ● tty                                                 |
| ● dialout                                             |
|                                                       |
| It is possible that you won't be able to successfully |
| connect and/or flash the controller board without     |
| your user being a member of that group.               |
| If you want to add the current user to the group(s)   |
| listed above, answer with 'Y'. Else skip with 'n'.    |
|                                                       |
| INFO:                                                 |
| Relog required for group assignments to take effect!  |
\=======================================================/
###### Add user 'pi' to group(s) now? (Y/n):

When the installation has completed you will be given the following prompt and returned to the Kiauh install menu

#=======================================================#
 Klipper has been set up!
#=======================================================#

Install Moonraker

Moonraker is the API that interfaces between your front-end (Mainsail in this document) and Klipper, press 2 and Enter to continue. When prompted, press Y and Enter to install Moonraker.

###### Initializing Moonraker installation ...
[✓ OK] Klipper installation found!

###### Install Moonraker? (Y/n):

Wait for the installation to complete, this shouldn't take as long as the Klipper install but is dependant on connection speed & system load. When complete you will see the following prompt and return to the Kiauh install menu.

#=======================================================#
 Moonraker has been set up!
#=======================================================#

   ● Instance 1: 10.0.0.110:7125

Install Mainsail

Once Klipper & Moonraker are installed type 3 followed by Enter to install Mainsail. You will be prompted to install additional client macros.

/=======================================================\
| It is recommended to use special macros in order to   |
| have Mainsail fully functional and working.           |
|                                                       |
| The recommended macros for Mainsail can be seen here: |
| https://github.com/mainsail-crew/mainsail-config      |
|                                                       |
| If you already use these macros skip this step.       |
| Otherwise you should consider to answer with 'yes' to |
| download the recommended macros.                      |
\=======================================================/
###### Download the recommended macros? (Y/n):

type Y and Enter to continue. When prompted, the mainsail installation has been complete, and you will be returned to the Kiauh install menu.

#=======================================================#
 Mainsail has been set up!
#=======================================================#

Type B then Enter to go back, then Q and then Enter to quit Kiauh. And thats it! You're done!

Install Complete

You now have a fresh install of Klipper, Moonraker & Mainsail that you can begin using immediately, using your desired browser go to the URL of your printer, this could be the hostname (by default voron-02-pro) or the IP Address, for me this was http://voron-02-pro.local. You should now see a fresh installation of Mainsail, note that there will be an Error as we have not configured anything as yet.

PreviousM36 Toolhead BoardNextTroubleshooting

Last updated