 Show Posts
|
|
Pages: [1]
|
I'm assuming that this is nothing, but I'm still curious about how the node works. I added suricata to the vlan for my node. I've disabled the "emerging-tor.rules", and left the rest of the ETOpen and snort rules on. This results in blocking the IP above (associated with an ipv6 test site) as well as a handful of dns servers (that I didn't assign) making ICMP ECHO REPLY requests. When I do this I still seem to make connections with peers, or at least data continues to be transferred, but I can't access the node from my local network. When I disable the block for the ICMP ECHO REPLY requests I can again access my node and see that I still had 10 peer connections. So I'm generally just not understanding what is appropriate traffic through the node and what isn't. It's odd to me that the node requires dns servers other than the one I selected for my network. Edited to update: I ran packet capture and can see that my node is sending out an echo request and receiving a reply to/from a dns server every second. https://tutorials.cyberaces.org/downloads/pdf/Module2/CyberAces_Module2-Networking-Layer3-Part3-Communication.pdfThe above link (basically ICMP 101) seems to suggest to me that I either have a dns issue that I need to resolve between my new router and the node, or my node is being ID'd. But then there's the fact that I'm not familiar with how tor works.. Sorry to spew my thoughts out in real-time but it'll help me to pick up where I left off as I tend to other irons in the fire. It also seems pertinent to the topic at hand. |
|
|
|
I would really like to know best practices for the firewall. I'm not sure what I can block. TCP Attempted Information Leak DESTINATION 51.75.78.103:80 ET POLICY curl User-Agent Outbound Every 10-15 seconds. I've been looking these up on everything and most of it seems to be false positives, and that's just lan. This was one of the first things I looked at since it's happening so often. I couldn't find much, except: Abstract. We show how to exploit side-channels to identify clients with-
out eavesdropping on the communication to the server, and without re-
lying on known, distinguishable traffic patterns. We present different
attacks, utilizing different side-channels, for two scenarios: a fully off-
path attack detecting TCP connections, and an attack detecting Tor
connections by eavesdropping only on the clients.
Our attacks exploit three types of side channels: globally-incrementing IP
identifiers, used by some operating systems, e.g., in Windows; packet pro-
cessing delays, which depend on TCP state; and bogus-congestion events,
causing impact on TCP’s throughput (via TCP’s congestion control
mechanism). Our attacks can (optionally) also benefit from sequential
port allocation, e.g., deployed in Windows and Linux. The attacks are
practical - we present results of experiments for all attacks in different
network environments and scenarios. We also present countermeasures
for these attacks https://www.researchgate.net/publication/253954669_Spying_in_the_Dark_TCP_and_Tor_Traffic_AnalysisIt's an older paper so nothing new, but it's creepy seeing it in real time. I looked back at my firewall and saw that the ports I'm sending from are sequential, to the same ip listed above over and over. So I'm sending out http packets from sequential ports every 10-15 seconds. Surely this isn't right. It doesn't look like the other traffic. The flaw that we identify is that a blind adversary is able to cause a TCP recipient an involuntary
reaction by sending arbitrary (spoofed) packets. We propose keeping a small
window of acceptable sequence numbers that may be processed. This window
resembles the receiver’s congestion window, but is more aggressive: while packets
outside the congestion window cause a duplicate acknowledgment (which we use
in the attacks described in Sections 3-5), packets that specify sequence numbers
outside the acceptable-window are silently discarded. The acceptable-window is
larger than the host’s congestion window and includes it. A congestion window
is usually up to 216 bytes, an acceptable-window that is twice as large, i.e., 217
bytes, will significantly degrade the attacker’s ability to conduct all the attacks
in this paper. Since the sequence number is 32 bits long, the attacker is required
to send ... times the number of packets to conduct similar attacks. How-
ever, this technique requires that the firewall will inspect the sequence numbers
in incoming TCP packets, which increases the packet processing overhead. Ideally, I'd like to figure out how to block with pfsense rather than suricata. I just blocked that ip/port but I don't think it was the same ip yesterday. Any insights into best practices are appreciated. |
|
|
|
The esp32 is exactly what came to my mind when I started looking at wallets again. Last batch I got were less than $4, $6 with a camera. That being said then you've got bluetooth, wifi, and espnow to contend with. They're designed to be easily connected to. I think there are some read only wallets that use them on github. With that in mind I found his presentation on the board itself insightful: (about 7:45min in) https://www.youtube.com/watch?v=AgOqTGeDracThe limitations of the board, particularly the chip in the center are clearly outlined. This is why by default the device never stores the seed. It's either entered manually or in a secured element. I've yet to get one, and will need to print a different case when I do because with the free one I printed I do have access to the port for it. Same with the SD card. Didn't exactly think that through. Overall, I've found the device to be pretty awesome and easy to use. The QR reader works really well, it's easy to use in every way. It does suck that you can't scan the QR code on the device through tor (tor disables camera access). That's really got nothing to do with Specter though. I've spent way more time trying to get my regtest up than anything else so far. I've minted coins but I'm having issues sending them out. I look forward to being able to use the java cards. There is an issue there as well though. You have to chose either to encrypt the java card, at which point the device is required to ever unlock the card, or have a java card that's password protected only (not encrypted) but can be opened with any device. I doubt I'll encrypt. It would suck to lose or break the device. With password protected cards at least I can build a new device if the first one is lost or stolen. I'll update when I get a chance to play around with a card reader. |
|
|
|
I ended up setting up pfsense with a vlan for the node. I like the idea of having it sectioned away from the rest of my local network. Especially the iot. Likely will add a miner to same vlan unless it's wiser to keep them separate. Any insight into rule sets with nodes are welcomed. The node runs on tor, and churns away with all ports blocked. But I've been having issues with mempool. It won't load properly. It connects and disconnects over and over. I've updated npm issues to the point of "breaking chain" errors that I enabled. At which point I got a 502 error and mempool wouldn't load. Uninstalled, re-installed, and have only cleared npm issues handled automatically. So, I'm back to where I started with mempool stuck in a connect/disconnect loop. This isn't a port issue, correct? Surprisingly, last night I restricted the vlans connectivity to pings and dns with no other local or internet access and somehow the node was still running with connections in the morning. Nothing else had connectivity. I'm not sure if they were connections that had been made prior to my change, or? My tor browser didn't have internet access on the same network. Is this some ninja mode of running this, or where those connections previously made? If you have security concern, change the password and configure SSH only to accept login attempt with SSH key. I'm trying to do this but I'm having difficulties with the sshd_config file. I can't seem to disable password access. I did this one something else but I don't think the whole file was #disabled/default like this one seems to be. Perhaps others could benefit from learning best practices with this file. Or perhaps someone might just tell me at least what I'm doing wrong. So far I've enabled these things in the file: #Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin prohibit-password yes
StrictModes yes
MaxAuthTries 10
#MaxSessions 10
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
#HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server (Edited to add that I'm a dumbass. These settings work. I was thinking this feature wouldn't allow me to connect to the node at all without the keys. I was checking by seeing if I could get to the first prompt, which I could. But I wasn't trying to use the password to actually log in.  ) |
|
|
|
What is missing compared with mempool.space? The graph only goes back to the date I installed it and when I looked up some donation addresses it only showed the current balance without the coin history that the website does. I have electr, specter, btcpayserver, joinmarket, sphynx, RTL, and mempool all running and it's not bad depending on my tor connection. It's just a bit doggish loading mempool. Apparently I misspoke and it was btcrpcexplorer that I had the most issues with and uninstalled. I couldn't clear all of the npm issues. Do you mean there is a "pi" user account or something? Yes, it's one of the first things stressed that one should do during other RPi installs. Particularly if you're online with open ports. Perhaps tor functions in a different manner, but my understanding is that bots scan ports and user "pi" with password "raspberry" is very common. So it's stressed to remove "pi" before going online. I'm not sure if I was online for 3 days downloading with open ports over clearnet with a common user/pass. For that matter I'm not sure if "pi" is required for the install to work properly. |
|
|
|
|
Should we be running v0.21.1? It calls it experimental in Raspiblitz.
|
|
|
|
I agree that without the printer perhaps it's not as intriguing. I have no idea what Seed Signer would ask for a printed case. But I couldn't imagine much. Coldcard was definitely the other option I was looking at. To me the STM32 board without the camera would basically serve the same purpose. I could be underestimating the Coldcard. Like I said, I've only used ledgers so for me anything to get away from those buttons is a step forward, and I couldn't justify buying multiple more expensive ones. I also really like the approach to entropy on the Specter: https://www.youtube.com/watch?v=76p0ADx9gXwBtw, I'm in no way affiliated with this project, no do I know anyone involved. I just stumbled on it this week and found it stupid simple to get going. If you watch the videos on youtube he talks about it's limitations and advantages fairly candidly. Though I value the criticism of others more capable of understanding security trade off. an option to order the parts you want and assemble them either yourself I didn't order anything from them. I also didn't check alibaba/aliexpresss. These were purchases this week from random US electronic suppliers. I believe Specter developed and sells a shield for the STM32 board that has a battery and smart card reader built in for a sleek form factor. Everything else is open source. |
|
|
|
|
I recently setup a headless raspiblitz running on a naked RPi4 8gb as well. I've got a passive aluminum case (which I like more than the fans) but haven't disconnected it yet. I have had some performance issues. Ultimately uninstalled mempool. The RPi was doggish and the mempool didn't provide as much info as mempool.space. I guess I had just assumed it would have everything.
A question that I have is whether it downloads the blockchain via tor by default. In the guides I saw that there was an option during initial setup, but I didn't see it. I read that they switched to tor by default for the node itself, and I would hope that would mean from initial blockchain download forward but I'm uncertain. Anyone have any ideas?
Also, I'm surprised that "pi" wasn't deleted and I wonder how secure that is. That seems less than ideal based on what I've read from installing other instances on RPi's. But I'm not technically advanced enough to know for sure if that's just less of an issue with tor, assuming it was during download.
So far I haven't actually used it other than to just play around and learn. I'm not sure that I trust it in it's current configuration, and for sure want to at least isolate it on my network first. Especially after learning how few are online and that there might be other vulnerabilities like the "spying nodes" referenced in another thread that I've yet to fully elucidate.
|
|
|
|
Quote from: nortwood on July 11, 2021, 09:17:09 PM
Quote
My spy filtered node
I've searched but I'm unable to find where to learn more about this.
Well then I guess its working. Fair enough, lol It's just that questions regarding best practices for running nodes has been on my mind. I'll start a different thread. |
|
|
|
I thought it would be more difficult than it actually is. I'm not using the dev kit with the smart card reader and battery built-in, or the diy method shown on youtube. I'm just using a 3d printed case from thingiverse (thank you Seed Signer) to house everything rather than glue it. So the only thing to put together is to attach 4 jumper wires from the camera to the device, and slap the case together. STM32 module (touch screen/microprocessor) - $75 QR camera - $45 (probably could use a cheaper $6 ov246 mini arduino module) 3d printed case - free ( https://www.thingiverse.com/thing:4680700) The STM32 module has a sd card reader, which can be encrypted as a secure element. Or you could elect to go with a $13 smart card reader from Amazon, which is what I'm doing. |
|
|
|
My spy filtered node I've searched but I'm unable to find where to learn more about this. |
|
|
|
I searched but couldn't find any reference to this project, but it seems promising. It's a nice DIY air gapped wallet with QR reader and touchscreen for $120-$140. It also looks like it can be used without the QR scanner via usb in which case it's $75: https://github.com/cryptoadvance/specter-diyhttps://www.youtube.com/watch?v=eF4cgK_L6T4I got a stm32 board today and had the code uploaded running in less than 5min. No arduino IDE, no microPython. Just dragged and dropped the .bin file and that was that. I've only ever had a ledgers so it feels like a real treat. Are others familiar with the code? disclaimer: This project is not very mature yet, USE AT YOUR OWN RISK. Some error messages might be not very user friendly, but they help to debug and fix issues. If you see an unexpected error message please open an issue and we will try to fix it. Sometimes reboot helps.
This wallet is a FUNCTIONAL PROTOTYPE. This means we use it to experiment with user interface, communication methods and new interesting features (like miniscript, CoinJoin and Lightning). |
|
|
|
lets take antpool. the highly controversial pool deemed always as "china" seems it went from 30ex down to 10exa. but is now recovering and getting to 14 exa in recent days https://btc.com/btc/pool/29?id=29&chart=hashrateso it doesnt seem like they are "out" seems their ultimate bottom july1st (10exa) :- lets call that point X seems their ultimate peak hashrate X-1.5 month (>30exa) seems their next step down was X-1 month(>20exa) and now X+2weeks they are recovering at 14exa which seems to be on target to recover to peak of 30exa by X+1.5month taking a look at btc.com own pool https://pool.btc.com/en-US/pool-stats50% of blocks it mines come from china (SZ, beijing, Shenzen) again seems "china" is not out This is encouraging to see. |
|
|
|
Coming from a John Perkins "Confessions of An Economic Hitman" point of view would it be outlandish to consider the CBDC to be the elephant in the room? It seems to be the antithesis of bitcoin and the most imminent threat moving forward. "Programmable money with identity embedded in it" as someone recently described it. With the allure of not only becoming the reserve currency but also having the ability to socially engineer down to the individual. Why would they let you buy bitcoin, or for that matter accept it in trade without going through fiat first? They gave El Salvador the middle finger. I'm not talking 120 years from now. Mainstream fud about the dollar no longer being the reserve currency within the next 20 years. What happens when the spending power of fiat continues to decline and CBDCs disallow direct trade? As people flee fiat they'll have to make a decision. I have always believed that if given the chance people would choose self sovereignty over centralization. But watching this play out I have to question that. The majority of users don't possess their own keys, less than 10k run nodes, even less coinjoin when it should be the norm right from mining forward. Let me use some quotes from another thread from earlier this year to help me get to my point: philipma1957 right now the market cap for btc is around 730 billion. There is enough wealth to push it to 1.8 trillion or 100k a coin. the top ten stocks are worth more then 9 trillion so pulling 1 trillion away from them could happen this year.
I do not see enough wealth to push it to 18 trillion or 1 million a coin any time soon. mickeywith When rewards are 3.125BTC mining would still be somehow okay to many miners, even if the price was below 100-200k, but when the rewards are at 1.5625 BTC price needs to be beyond those levels for mining to stay as decentralized, if not, then only those with free power will be able to mine at a profit.
With the being said, there might come times when bitcoin holders will need to mine for no profit just to keep the blockchain running the way it is, sort of like how many people run full nodes now without any financial benefits, but I guess it's too early to judge since we don't know how will the mining fees become like since they will be more important than the block reward soon. The issue regarding the financial viability of running miners seems like it has the potential to become a security threat sooner than later. Nations are building out infrastructure. If the central bank gives them an ultimatum down the line because they view bitcoin as a genuine threat to the hegemony that seems problematic from a security standpoint. Introduce the CBDC with tons of carrots, and disallow all crypto related transactions. Could the network sustain that in a scenario with fiat continuing to lose buying power and hodlers have to run machines at a loss to keep the system honest? It seems like it would continue to centralize which would either lead to an attack from within to game the system, or they send in the jackals to utilize the infrastructure built out on CBDC friendly Nations if the threat persists. I know it's a shorter time span but it seems on topic, and the question of which actors with what incentives could pull off an attack keeps coming up. I realize this is way more fud than should come from a first post. I'm actually quite bullish. I think many of the issues we face can be addressed. I'm here to attempt to better understand how. *edited to add names to quotes |
|
|
|
|
