VPS Servers require CentOS 5, because it's still the only OS to run with Kloxo, which is the best option to run as replacement of a regular hosting; which is the primary use of a VPS; and the system flavor which requires less memory to run as whole. Gentoo/Knoppix in a VPS, you need to be insane to try that one, since you can't touch the Kernel, what's the use? Blast your memory (and I don't know about your experiences with VPS's, but there's no swap nor any RAM virtualization, if you run out of physical memory the only thing to do is a VPS reboot as the system will hang) with builds? uses much memory, and its needs to be runned some times, because of security upgrades. In order to replace old bugs with new ones...  |
|
|
|
Religion... because know you'll die someday is a pain!  That's all it rounds to; because people is so afraid of die and go to be eaten by worms that they prefer to believe on "Paradises". And to go to those "Paradises" you need to act like an irrational freak preaching for a "God" 1000x worse than Ghaddafi and with a shitload of egocentric issues demanding you to "worship without question" that phony "Eternal dictator"... Just too bad, religion is a notorious scam, and that God was created by the scammers. No God, no Paradise and the worms still wait you underground... sucks! But reality is as cold as steel and won't be changing by your delusions. |
|
|
|
|
Try to start your bitcoind manually and see if it starts, also make sure the datadir is world writable, as monit doesn't run under your user.
I normally do as so, for that setup:
sudo (or as root) mkdir /bitcoin
chmod 777 /bitcoin
start program "/usr/local/bin/bitcoind -pid=/var/run/bitcoind.pid -datadir=/bitcoin -daemon"
you can also chown and chgrp your /bitcoin folder to the user monits runs under if you don't want to have it with 777 permission.
|
|
|
|
|
Try to add some nodes in you bitcoin.conf
eg:
addnode=biddingpound.com
|
|
|
|
You can not update the Kernel in a VPS! Because the Kernel is shared with the main machine. VPS's are not VDS's.
Haha, good to know...! VPS vs VDS Pros: They're way cheaper VPS vs VDS Cons: Everything else. A VPS is just like a shared host, except that each container has its own IP and shell. But from the main machine they look like: /vps/vps1/<and your filesystem>, /vps/vps2/<other guy filesystem>(...) whereas a VDS/DS mounts exactly at / and can have its own Kernel, swap and filesystem. Actually one thing to look carefully with VPS's is the memory, because it has no swap or any virtualization of memory, if you run out of memory your system will most likely hang. |
|
|
|
|
You can not update the Kernel in a VPS! Because the Kernel is shared with the main machine. VPS's are not VDS's.
|
|
|
|
The latest bitcoind binary doesn't work under Debian 5, you need to recompile it to old versions of libstdc++ Last version of pre-compiled binaries that works with Debian 5 is 3.21. I'll probably need to recompile my own, but 32 bit version, so I put the binaries once I take some time to do it. Welcome to wonderful world of Linux, where versions come after each others for no reason at all... Hail to Cobol! Since 1960 to our days minimal changes and versions came out. The reason? When you create something that just works, you don't need to keep releasing new versions. BSD is also stable, so you don't see any new version of BSD "pooping out every year", now Linux... is just in competition with Windows when it comes to see which of them crashes most! |
|
|
|
|
The proper way is:
echo $bitcoin->getreceivedbylabel("user1",2);
|
|
|
|
|
Paranoia isn't "common sense".
MtGox wasn't hacked, wasn't injected... simply put a db dump in the wrong hands. Do not try to circumvent "human errors" with "ultra-paranoia security level" on informatics, computers can't do anything about human errors anyway.
Other than that it was supposed to be "common sense" that if you don't come to realize your db was compromised in the first place, it doesn't quite matter whatever you choose to encrypt whatsoever.
M'Tux hadn't realize what happened, because all of this "sudden security experts" came out from MtGox's attack, he hadn't realize his db was compromised, so whoever was behind the attacks would have all the time in the World to do what he wants. To the "best", he would be slow down, nothing else.
For the "tips" received so far; there's nothing to gain and it generates inconsistent code to follow those sort of "advices". Will "clean up" what? Every time it goes to db already within the code?! It would output:
$user = "my'user";
first (AND ONLY - that's the way to do it) clean up:
$user = "my\'user";
select...where user like '$user'...
Now... supposing I would go for a second clean up, as the data will hit the db again:
$user = "my\\\'user";
see anything wrong here?
the potential attack surface is inside the code. If the code is compromised (means you download it from somewhere you shouldn't anyway) it can be compromised on several ways without the need for "SQLi". Why bother if the attacker can simply mysql_query("whatever he wants here");?!
Today I didn't code, was around that Cinfu VPS (tip: don't go to vps 1, 2+).
BOTTOM LINE:
Help needed
A way to figure out network fees before the transaction
Graphics/CSS
Help NOT needed (or welcome)
Your paranoia level - yeah, it's open source, you can put all your paranoia into it as soon as you get the code.
|
|
|
|
Are you serious? You guys are still using direct query statements? That's wayyyyy 2008.
If you just want to get the mess of sanitizing every fucking thing, prepared statements are the way to go.
not "guys" just "guy", the rest of us are just trying to tell him the same thing: that it's better to go prepared statements  And suddenly all became affected by security paranoia... Actually for someone do that, he needs to temper the code; means whoever download it download it tempered, and unless can check it is pretty much f***ed anyway no matter what I do or don't. |
|
|
|
|
All your points are needless actually.
If some one get to be dumb enough to do something like:
$user .= "'; DROP users";
then such person isn't a coder (is an attacker at best) and therefore has no reason to touch the code at all.
|
|
|
|
|
Xephan,
That's senseless! You're implying I may "inject myself" along the code. The vars must be clean up on entry, as they will go to mysql more than once.
Eg. upon register:
query 1: select * from users where user like '$user'
to check whether there's already one account registered with that username
later
select * from users where email like '$email'
to ensure unique emails... etc
There're no more changes in the var that may get it injected along the way until the inserts. Passwords doesn't require cleaning up because they always hit the db hashed.
Now... for the question I put above. Any answer?
BTW, I bough a VPS with cinfu.com and will put the project and demo there.
|
|
|
|
@BCEmporium: Sorry for the off-topic, but do you need to have VPN to use cron in PHP or will most any web server allow it? I have always thought of it as a potential resource hogging liability for web servers and that's why I didn't expect anyone to provide it, but if it's there, this give me a few ideas for how I can make my site better.
This is designed to: Your own box Your own Virtual Machine A VPS/VDS/Dedicated Server As you need to install software, such as bitcoind, this is not suitable for shared hosting. Now a doubtAnyone knows how to make bitcoind check whether a transfer fee will be paid before it does anything? I can't figure that one out, so I'll code this way: Total available amount = balance - 0.0005 Check the transaction after, if a fee was paid remove the 0.0005 from the user's account, if not leave it there. |
|
|
|
@AnnihilaT I keep saying the most important feature of password security is you to *know* your db was compromised, encryption will only make you gain some time to do something about... but they don't believe it. Now... while waiting another deposit to get 6 blocks, to test deposit forwarding, here're some screens of what has been made so far:     Database "config" table look:  Roadmap to PreAlpha: Withdraw functions - once done I'll pre-release it by my website. Alpha will be at SourceForge or GitHUB |
|
|
|
|
@btcash,
The project is open source, when I release it you're welcome to implement whatever procedure to store passwords you want.
@smoothie
This isn't usable to mine anything, it's a storage frontend, not a mining one. Can be used, with some changes, to store namecoins also.
|
|
|
|
Even though your way is secure (as long as you remember to call your function on all the values) I'd recommend using prepared statements with PDO, much cleaner and safer. Take a look on the PHP manual for more info. PDO requires PDO and PECL, that's already alone dirtiest than dirt can be.  As I'm off now for a while, here's the incomplete code of the cron (it should run like each 5 minutes by php-cgi or so), hope this already gives you a better clue of what I'm working on: <?php
define("_V",1);
//This file must NOT be accessible from the Web!
$coin_install_path = "/web/default/public_html";
include($coin_install_path ."/sys/config.php");
include($coin_install_path ."/inc/general_functions.php");
error_reporting(E_ALL);
ini_set("display_errors",1);
include($coin_install_path ."/classes/jsonRPCClient.php");
//Starting CRON sequence
$b = new jsonRPCClient("http://$btc_user:$btc_pass@127.0.0.1:8332");
//Checking for new deposits
$accounts = $b->listaccounts((int)$config['confirmations']['value']);
foreach($accounts as $k => $a){
if($a == 0) continue; //Nothing to do
$acc = explode("_",$k);
if(!is_array($acc) || sizeof($acc) != 3) continue; //Invalid account identifier
//Get the account
$sql = "SELECT * FROM accounts WHERE uid = {$acc[1]} AND account_id = {$acc[2]}";
$q = mysql_query($sql);
if(!mysql_num_rows($q)) continue; //Account not found
$act = mysql_fetch_assoc($q);
$b->move($k,$config['central_account']['value'],$a);
$prevBal = 0;
$sql = "SELECT balance FROM movements WHERE account_id = {$act['id']} ORDER BY id DESC LIMIT 0,1";
$q = mysql_query($sql);
if(mysql_num_rows($q)){
$pbal = mysql_fetch_assoc($q);
$prevBal = $pbal['balance'];
}
$newBal = $prevBal + $a;
mysql_query("INSERT INTO movements(`account_id`,`dtime`,`description`,`amount`,`credit`,`balance`) VALUES({$act['id']},'".date("Y-m-d H:i:s")."','Bitcoin deposit',$a,1,$newBal)");
mysql_query("UPDATE accounts SET balance = balance + $a WHERE id = {$act['id']}");
//Check if account is forwarded
if($act['forward'] == 1){
$isValid = $b->validateaddress($act['forward_to']);
if($isValid['isvalid'] != 1){
$invBTC = makeSQLSafe($act['forward_to']);
mysql_query("INSERT INTO messages(`uid`,`dtime`,`message`) VALUES({$acc[1]},'".date("Y-m-d H:i:s")."','ERROR Invalid address to forward your deposits to :: $invBTC. Amount remains in your account!')");
}elseif($isValid['ismine'] == 1){
//It's forward to a local address, so we just move the balance
$recAct = explode("_",$isValid['account']);
if(!is_array($recAct) || sizeof($recAct) != 3){
mysql_query("INSERT INTO messages(`uid`,`dtime`,`message`) VALUES({$acc[1]},'".date("Y-m-d H:i:s")."','ERROR Invalid account to forward your deposits to - local account is not an user account :: $invBTC. Amount remains in your account!')");
}else{
$sql = "SELECT * FROM accounts WHERE uid = {$recAct[1]} AND account_id = {$recAct[2]}";
$q = mysql_query($sql);
if(!mysql_num_rows($q)){
mysql_query("INSERT INTO messages(`uid`,`dtime`,`message`) VALUES({$acc[1]},'".date("Y-m-d H:i:s")."','ERROR Invalid account to forward your deposits to - local account not found :: $invBTC. Amount remains in your account!')");
}else{
$receiver = mysql_fetch_assoc($q);
$nextBal = $newBal - $a;
mysql_query("INSERT INTO movements(`account_id`,`dtime`,`description`,`amount`,`credit`,`balance`) VALUES({$act['id']},'".date("Y-m-d H:i:s")."','Forward to {$act['forward_to']}',$a,0,$nextBal)");
mysql_query("UPDATE accounts SET balance = balance - $a WHERE id = {$act['id']}");
//A small issue; re-forwarded accounts will not forward to prevent loop attacks.
}
}
}
// $nextBal = $newBal - $a;
// $b->sendfrom();
}
}
?>
|
|
|
|
While start to draft the most important part of the site, the CRON, here're two screens of it so far:   Let me explain also how I had this idea: I want to move my coins to a "minimalistic" Debian VM, and this is a way to access and manage the wallet on that VM. |
|
|
|
How will this be different from bitcoin-php? I guess your description is generic enough that I don't quite understand what the purpose of it is...
What is bitcoin-php? The only thing I know by such name is a class. @smoothie Not yet. Will put as soon as the basic functions are done. I'm around editing own account at the moment. |
|
|
|
Hi M'Tux, Yes, to go live on internet with this system I intend to create some modules, changing passwords to SHA, enforce SSL and add captchas to prevent brutteforcing. About SQLi, vars are passed this way: <?php
isset($_POST['user']) && trim($_POST['user']) ? $user = makeSQLSafe(trim($_POST['user'])) : $e[] = "Username missing!";
//... which means to call the function bellow
function makeSQLSafe($str){
if(get_magic_quotes_gpc()) $str = stripslashes($str);
return mysql_real_escape_string($str);
}
?>
|
|
|
|
|
Show Posts
