Title: Close bitcoind for incoming connections Post by: Yzord on February 22, 2015, 06:04:25 PM I have setup an Electrum server and i am now downloading the btc blockchain. The tutorial of Electrum tells me it is better to "close bitcoind for incoming connections".
I am not that good with iptables, so is there anyone who can offer me the string to put in iptables for closing bitcoind for incoming connections? Title: Re: Close bitcoind for incoming connections Post by: Newar on February 22, 2015, 06:09:33 PM If you have never opened it, consider it closed. Check here for port 8333 and your external IP (whatismyip.com): http://www.yougetsignal.com/tools/open-ports/
Does it say why they recommend that? Title: Re: Close bitcoind for incoming connections Post by: Yzord on February 22, 2015, 06:12:52 PM Yeah, for security issues
Quote To increase security you may want to close bitcoind for incoming connections and connect outbound only And port 8333 is open :( i have installed UFW, so is doing "sudo ufw deny 8333" enough? I don't want to lose my ssh login Title: Re: Close bitcoind for incoming connections Post by: Newar on February 22, 2015, 06:25:47 PM I would do:
ufw status numbered look at the number of the rule for port 8333, say it's x then ufw delete x Check http://man.he.net/man8/ufw Edit: If it says it's open and you're server is "at home", check your router config as well and close it there too. Title: Re: Close bitcoind for incoming connections Post by: Yzord on February 22, 2015, 06:31:17 PM It says:
Quote bitcoin@electrum:~$ sudo ufw status numbered Status: inactive I need to enable it, but i'm afraid i lose my ssh so i can't get in anymore :) i do have set ufw allow 22 though Title: Re: Close bitcoind for incoming connections Post by: Newar on February 22, 2015, 06:40:58 PM [...] I need to enable it, but i'm afraid i lose my ssh so i can't get in anymore :) i do have set ufw allow 22 though Hm, no wonder everything is open then, unless you set the rules somewhere else. You can do ufw --dry-run enable to see what "would" happen. Is this on a VPS? Does it offer a "serial console" for recovery? (You would see this option on your config panel (if any)). Title: Re: Close bitcoind for incoming connections Post by: Yzord on February 22, 2015, 06:46:33 PM Yeah, my VPS control panel shows a console...i mean, i can send commands, but it does not show a terminal or something. But when i fill in "top" i get:
Return code: 1 Output: top: failed tty get So it would get excited to run it haha. i do have put ufw allow proto tcp from any to any port 22 into ufw Shall i just do it? The btc blockchain is still downloading though...hopefully i won't fuck it up :P Title: Re: Close bitcoind for incoming connections Post by: Newar on February 22, 2015, 06:51:58 PM It wouldn't affect your download much. You can run ufw commands with "--dry-run" to see what "would" happen. Just passing a rule won't make it active yet. At one point you will have to run "ufw enable" to make your rules work. Again, check http://man.he.net/man8/ufw Title: Re: Close bitcoind for incoming connections Post by: Yzord on February 22, 2015, 06:58:25 PM Ok, that didn't worked well. I started ufw and my ssh connection got closed and also blocked. Could stop ufw from the console in VPS control panel though.
Looks like it is not accepting pre pushed rules or something. Now i get this when i restart: Command may disrupt existing ssh connections. Proceed with operation (y|n)? y ERROR: problem running ufw-init modprobe: ERROR: ../libkmod/libkmod.c:507 kmod_lookup_alias_from_builtin_file() could not open builtin file '/lib/modules/2.6.32-042stab094.7/modules.builtin.bin' modprobe: FATAL: Module nf_conntrack_ftp not found. modprobe: ERROR: ../libkmod/libkmod.c:507 kmod_lookup_alias_from_builtin_file() could not open builtin file '/lib/modules/2.6.32-042stab094.7/modules.builtin.bin' modprobe: FATAL: Module nf_nat_ftp not found. modprobe: ERROR: ../libkmod/libkmod.c:507 kmod_lookup_alias_from_builtin_file() could not open builtin file '/lib/modules/2.6.32-042stab094.7/modules.builtin.bin' modprobe: FATAL: Module nf_conntrack_netbios_ns not found. iptables-restore: line 4 failed iptables-restore: line 77 failed iptables-restore: line 38 failed ip6tables-restore: line 4 failed ip6tables-restore: line 73 failed ip6tables-restore: line 38 failed sysctl: permission denied on key 'net.ipv4.tcp_sack' Problem running '/etc/ufw/before.rules' Problem running '/lib/ufw/user.rules' Problem running '/etc/ufw/before6.rules' Problem running '/lib/ufw/user6.rules grr :) Title: Re: Close bitcoind for incoming connections Post by: Newar on February 22, 2015, 07:02:39 PM What VPS provider?
Can you check if any other ports are open? For example 8335 or 45944. If that's the case it means your whole VPS is open to intruders. Ask your VPS provider how to go about that. There should be a way to define your own FW rules. Did you install ufw or was it already there? Title: Re: Close bitcoind for incoming connections Post by: Yzord on February 22, 2015, 07:09:43 PM According to online port scanner 22 & 25 are open, the rest are closed, so i guess it is fully open, but no daemons running.
i installed ufw myself on a minimal Ubuntu version Title: Re: Close bitcoind for incoming connections Post by: Newar on February 22, 2015, 07:17:52 PM Which Ubuntu? I had issues one time with 12.04 and ufw. Can you list your iptables rules? I.e.: sudo iptables -L Reference: https://help.ubuntu.com/community/IptablesHowTo Title: Re: Close bitcoind for incoming connections Post by: Yzord on February 22, 2015, 07:22:21 PM Quote Chain INPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ufw-before-logging-forward all -- anywhere anywhere ufw-before-forward all -- anywhere anywhere ufw-after-forward all -- anywhere anywhere ufw-after-logging-forward all -- anywhere anywhere ufw-reject-forward all -- anywhere anywhere ufw-track-forward all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- anywhere anywhere ufw-before-output all -- anywhere anywhere ufw-after-output all -- anywhere anywhere ufw-after-logging-output all -- anywhere anywhere ufw-reject-output all -- anywhere anywhere ufw-track-output all -- anywhere anywhere Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination Chain ufw-after-logging-forward (1 references) target prot opt source destination Chain ufw-after-logging-input (1 references) target prot opt source destination Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination Chain ufw-before-input (1 references) target prot opt source destination Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination Those are my rules...not much lol. It is Ubuntu 14.04 64bits. Title: Re: Close bitcoind for incoming connections Post by: Yzord on February 22, 2015, 07:39:55 PM Strange:
Status: active To Action From -- ------ ---- [ 1] 8333 DENY IN Anywhere [ 2] 22 ALLOW IN Anywhere [ 3] 22/tcp ALLOW IN Anywhere [ 4] 8333 (v6) DENY IN Anywhere (v6) [ 5] 22 (v6) ALLOW IN Anywhere (v6) [ 6] 22/tcp (v6) ALLOW IN Anywhere (v6) But i still can't get in with ssh. While port seems to be open. Perhaps the hardware node is blocking it, but i installed openvpn on this server once before and that worked. Title: Re: Close bitcoind for incoming connections Post by: zvs on February 23, 2015, 08:52:41 AM I have setup an Electrum server and i am now downloading the btc blockchain. The tutorial of Electrum tells me it is better to "close bitcoind for incoming connections". well, you could just set listen=0 in the bitcoin.conf file.I am not that good with iptables, so is there anyone who can offer me the string to put in iptables for closing bitcoind for incoming connections? i'd say you should change your ssh port, but I guess it doesn't matter if you don't mind log spam... have you checked /etc/ssh/sshd_config? maybe it isn't listening on port 22 netfilter is an iptables dependency, that should have the conntrack modules. boggle. Title: Re: Close bitcoind for incoming connections Post by: Yzord on February 23, 2015, 03:40:28 PM Thanks!
|