WinAFC - http://affinitychanger.sourceforge.net/It's not my program, but I find it VERY useful. This will keep all of your miners on one cpu, and not keep your other cores running at 100%. Since I have a 6core workstation, having 4 miners open ties up 4 cores. Not anymore. Less CPU utilization also equals less power consumption My config file for demonstration: E:\Program Files (x86)\GUIMiner\guiminer\phoenix.exe := CPU1 E:\Program Files (x86)\GUIMiner\guiminer\poclbm.exe := CPU1 Enjoy! |
|
|
|
Hey Mike, I like where you are going with this but the cookie implementation appears to be broken and your register function is currently broken as well. Is the latest master supposed to be a working checkout or are you in the middle or reworking things? Some things i noticed: - register.php simply doesnt work i had to make the following changes to get it to work: $testUserQ = mysql_query("SELECT id FROM webUsers WHERE username = '".$username."' LIMIT 1");
//If not, create new user
//if (!$testUserQ) {
if (($testUserQ == false) || (mysql_num_rows($testUserQ) == 0)) {
- logout.php simply doesnt work. Once logged in its impossible to logout without the session either timing out (didnt try to wait for this) or manually updateding/removing the timestamp in the webUser table. Also you use a meta refresh in logout and login but wouldnt a header("Location: /index.php"); be nicer? Or something alike ? Im curious who is doing your security audit? You mention that you are getting one done but no details about this.... this might be a good point to expand on since security with web apps are always difficult to get right. Also you might want to look into the webmin running on your server...if its v1.54, its vulnerable to an XSS attack that can result in root user priveleges for a remote attacker. I think a few unintended things snuck into the last checkout. I'm about halfway through with the v2 code, and I'm trying to keep it out of master for now. I had an outpatient spinal procedure done today, so nothing will be checked in tonight. Hopefully I can have a demo of the new work on the test-net soon for some real-world testing and viewing. As for the security audit, I'm handling them. I'm using internal tools from my professional work, along with acunetix & nmap so far. The current v2(&1.1) code checks out clear so far. If you have any additional recommendations, I'd love to hear them. I'm not using webmin 1.54 on my production machines. Once back in production, ssh should suffice for the live server. I like to keep production running as lean as possible. In the future, I'll branch new code and keep the master at the latest 100% stable version. |
|
|
|
I tried to use the git version of adminPanel with my existing install (not latest git) - it doesn't show anything... the old adminPanel didn't do anything. How do i reset a user's password? Can i go into the sql database and add shares into a table to make up for the fact that i had to delete the user's duplicate entries? Also BUG: You can register the same username more than once.  What is the php error from adminPanel? It should display if you have the admin flag. Nothing, i get a blank area where the panel normally is, but the rest of the page loads fine (the template.) I have admin set on the account. the reason i updated is you said you fixed some things and security. is v2 going to allow seamless upgrade from v1? You could downgrade the adminPanel to the previous version, the fixes to adminpanel were antiXSS related. If you are the only admin, cross-site scripting shouldn't be an issue on that page. Can you momentarily turn on php display_errors to see what's hangning? or check the apache log? For v2 it will not be seamless, it will require DB changes. I will create an upgrade sql script though. |
|
|
|
Just added some minor updates I wanted to roll in before v2 and the required sql changes.  v2 is well under way. I may roll it out before I finish all the sql optimizations. However, the biggest optimization will be included (read: archiving shares_history once counted). |
|
|
|
I tried to use the git version of adminPanel with my existing install (not latest git) - it doesn't show anything... the old adminPanel didn't do anything. How do i reset a user's password? Can i go into the sql database and add shares into a table to make up for the fact that i had to delete the user's duplicate entries? Also BUG: You can register the same username more than once. What is the php error from adminPanel? It should display if you have the admin flag. I haven't implemented password reset, I'll add that to the adminPanel and a user option based on email. If you want to do it manually, update the pass in webUsers to sha256 of pw+your salt. your best bet for solving miner-related issues is to update shares or shares_history username to the new miner id, but dummy shares should work. As for the bug, set your username in webUsers to unique. That should stop duplicates for now. I'll add a proper check in the next version. |
|
|
|
|
Big bugfix to the main cronjob!
was setting the counted enum by int.
to fix affected records:
stop cronjob
apply patch
get latest confirmed block
select blockNumber from networkBlocks where confirms > 119
update shares_history
update settings_history set counted='1' where counted=1 and blockNumber <= (above last blocknumber)
update settings_history set counted='0' where counted=0 and blockNumber > (above last blocknumber)
start cronjob
I don't think affected payouts, but it should have played hell with stats. However, to be sure, I'm disclosing the issue.
The entire shares_history workings are already very overhauled for v2. I'm implementing a condesed shares_counted table to keep shares_history much leaner.
|
|
|
|
|
So far with the latest code, I'm passing security audits with flying colors.
If anyone notices anything, please let me know in a PM or feel free to send your own commits to the source for me to review.
Version 2 is well under way with db changes that will hopefully reduce mysqls requirements.
|
|
|
|
|
Anyone know how to tag a specific commit? This is my 1st run using git for version control.
|
|
|
|
hey you updated the git repo while i was making a patch: http://paste.ubuntu.com/624849/or 55c55
< $authPin = (int) $_POST["authPin"];
---
> $authPin = (string) $_POST["authPin"];
89c89
< if(!is_int($authPin)){
---
> if(!is_numeric($authPin)){
in register.php This makes it so your pin can start with zero. or 2 zeros. or 3. this affected 2 out of three people on my new pool already :-p Thanks for that, I'll make sure it gets in the repo  |
|
|
|
Is simplecoin.us being ddos'd? I can't access it and haven't been able to for the last 2 hours.
It was being ddos'd, I took it down to fix Now that it is down, I'm going to take a few extra days to lock my server down. The site will be up before the pool, and I'm thinking about creating a testnet site for demoing/testing the newer versions. |
|
|
|
|
yes, pushpool fills shares, gets worker info from pool_worker.
sc fills the rest with cronjobs & user input.
|
|
|
|
|
right, pushpool uses the shares & pool_worker tables and should share them with simplecoin.
If you want, you could in theory remove shares & pool_worker from the sc database
|
|
|
|
The php pages aren't showing any worker stats even though a worker is connected to the pushpoold backend using the username and password set on the account details page. Did i screw a database step up?
sounds like the workers.php cronjob isn't running. this updates that stat. Nah, it's like the database for pushpool can't see the database for simplecoin and vice versa, because my worker is connected and has done 800 shares, but neither the main hasrate nor my account details have any indication that any work has been done - IE no payment. Is there something i am missing? there's no documentation for any of this stuff!!! Ah, pushpool & simplecoin should be using the same database. |
|
|
|
For reference, do you have an estimated date of launch? So I, and everyone else can keep an eye open for it!
And, Thanks for the hard work!
Not yet, but I'm estimating mid-week. |
|
|
|
|
Update to source:
bug fix on adminPanel.
Some security fixes in place such as anti XSS injection and additional sql escaping.
Security fixes are untested, but I thought I should include them before calling it a day.
|
|
|
|
Use SDK 2.1 and reinstall GUIminer
SDK 2.1 will not work with a 6xxx card. Install SDK 2.2 if you are using 64bit windows, for some reason SDK 2.4 does not install correctly. Once it is installed you will see both SDKs available. make sure to use --platform 0 or --platform 1 in your flags. |
|
|
|
|
I appreciate the kind words. Unfortunately the timing of these attacks (not just ddos, people were attempting exploits, none succeded) was also during a time when I was mostly unavailable. I am going to have the site locked down when I bring it back up. DDOS protection, complete security, and better explanation of stats to avoid confusion.
All of your hard work is being kept. Any shares you contributed will be counted. While the site/pool is down, I will try to accomodate anyone with a positive available (not estimated) balance who wants to cashout.
|
|
|
|
The php pages aren't showing any worker stats even though a worker is connected to the pushpoold backend using the username and password set on the account details page. Did i screw a database step up?
sounds like the workers.php cronjob isn't running. this updates that stat. |
|
|
|
I'm not a php dev, and this is the first php project I've done in about 8 years.
I value the open source spirit and like what you're doing (the idea behind it), but if you're unsure about your capabilities of publishing/writing/maintaining safe PHP code, then add a disclaimer or find someone willing to maintain/audit your work. Besides, SQL injection and XSS aren't isolated to just PHP.. People could lose user data and/or bitcoins (and more), and will then blame you/simplecoin.. Check your PM for some details. Got it, will definitely fix the holes you recommended and add a disclaimer, thank you for your input. |
|
|
|
Simplecoin - I think it will be best, if you keep the pool offline for a few days, fix the DDoS vulnerability and make it more stable. If you let it run the way it currently does, you will scare away your entire userbase . I will put the site back up in a bit so those with an available balance can cashout. |
|
|
|
|
Show Posts
