RocketSingh (OP)
Legendary
 Offline
Activity: 1662
Merit: 1050
|
 |
July 12, 2015, 04:03:33 PM |
|
In simple terms, I'm trying to run a hot wallet where I can query through JSON-RPC. Is that possible on bitnodes.io ?
|
|
|
|
|
|
|
|
|
|
|
|
|
The block chain is the main innovation of Bitcoin. It is the
first distributed timestamping system.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
achow101
Moderator
Legendary
Offline
Activity: 3374
Merit: 6535
Just writing some code
|
|
July 12, 2015, 04:10:10 PM |
|
In simple terms, I'm trying to run a hot wallet where I can query through JSON-RPC. Is that possible on bitnodes.io ?
It is possible on any VPS, provided that you configure the firewall and the Bitcoin config file properly to allow JSON-RPC queries. However, it is not recommended to make the RPC server publicly accessible since it could be vulnerable to attack and having someone steal all of your Bitcoin. |
|
|
|
RocketSingh (OP)
Legendary
Offline
Activity: 1662
Merit: 1050
|
|
July 12, 2015, 05:14:59 PM |
|
In simple terms, I'm trying to run a hot wallet where I can query through JSON-RPC. Is that possible on bitnodes.io ?
It is possible on any VPS, provided that you configure the firewall and the Bitcoin config file properly to allow JSON-RPC queries. However, it is not recommended to make the RPC server publicly accessible since it could be vulnerable to attack and having someone steal all of your Bitcoin. Any related tutorial or something to point at ? I cant figure out where to start... |
|
|
|
RocketSingh (OP)
Legendary
Offline
Activity: 1662
Merit: 1050
|
|
July 14, 2015, 08:20:29 PM |
|
None ? No one running their bitcoin daemon on VPS and calling it through JSON-RPC ?
|
|
|
|
achow101
Moderator
Legendary
Offline
Activity: 3374
Merit: 6535
Just writing some code
|
|
July 14, 2015, 09:17:29 PM |
|
None ? No one running their bitcoin daemon on VPS and calling it through JSON-RPC ?
I have done it on Amazon Web services, but not bitnodes.io. It also is not very safe to do JSON-RPC calls over the web, and if you do, you should use SSL RPC. |
|
|
|
RocketSingh (OP)
Legendary
Offline
Activity: 1662
Merit: 1050
|
|
July 14, 2015, 10:12:13 PM |
|
None ? No one running their bitcoin daemon on VPS and calling it through JSON-RPC ?
I have done it on Amazon Web services, but not bitnodes.io. It also is not very safe to do JSON-RPC calls over the web, and if you do, you should use SSL RPC. If I dont do it on the web, then what is the standard process of running bitcoin core as a hot wallet? |
|
|
|
|
|
|
ahmedjamal1998
|
|
July 14, 2015, 10:17:13 PM |
|
I think it's possible but it's kind of unsafe to do that as you may receive some attacks resulting in the loss of your coins.
|
|
|
|
|
achow101
Moderator
Legendary
Offline
Activity: 3374
Merit: 6535
Just writing some code
|
|
July 14, 2015, 10:21:01 PM |
|
None ? No one running their bitcoin daemon on VPS and calling it through JSON-RPC ?
I have done it on Amazon Web services, but not bitnodes.io. It also is not very safe to do JSON-RPC calls over the web, and if you do, you should use SSL RPC. If I dont do it on the web, then what is the standard process of running bitcoin core as a hot wallet? Usually the hot wallet is physically accessible or on the local network. Another thing, if you do have Bitcoin Core on a VPS, make sure you backup its wallet to somewhere safe because if you run out of money in the account and they shut down the VPS, you just lost all of your Bitcoin. |
|
|
|
RocketSingh (OP)
Legendary
Offline
Activity: 1662
Merit: 1050
|
|
July 14, 2015, 10:25:26 PM |
|
I think it's possible but it's kind of unsafe to do that as you may receive some attacks resulting in the loss of your coins.
What is the point of telling me that things are unsafe or not recommended, if you dont have a better solution ? I do understand that JSON-RPC may be unsafe and running a node as a wallet on the web is unsafe as well. But, then what is the solution for a hot wallet ? p.s. I am well aware of the available web APIs, but I dont want to get restricted by their limitations. Usually the hot wallet is physically accessible or on the local network.
How do I access something on a local network, if it is not connected to the web and if it is connected to the web, then it is as good as running on a VPS... is not it ? |
|
|
|
achow101
Moderator
Legendary
Offline
Activity: 3374
Merit: 6535
Just writing some code
|
|
July 14, 2015, 11:31:24 PM |
|
How do I access something on a local network, if it is not connected to the web and if it is connected to the web, then it is as good as running on a VPS... is not it ?
If it is on your local network, then it is behind your router, which has its own built in firewall that will prevent incoming connections from the web to certain ports e.g. 8332 which is Bitcoin Core's rpc port. Anything behind the router, say two computers, can communicate with each other through the router without having any of their data go to the internet. You can also have one computer connected to the router, and thus the internet, and another connected to that computer so it is not connected to the internet, but can be accessed from the first computer. Also, people on your local network are usually people that you let on. You have to tell them the wifi password or have them physically connect a cable. The only way you can be attacked is if you get malware on the computers or someone connects to your local network. |
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2870
Merit: 2298
|
|
July 15, 2015, 12:12:53 AM |
|
You don't want to do this. (bitnodes.io does not actually host any nodes, they simply keep a list of all of them by monitoring the bitcoin network).
You are most likely going to want to lease a VPS to run a full node, and whenever you spend funds stored in your wallet, your private keys are going to be temporarily unencrypted in your VPS's RAM and you would be exposed to possible side channel attacks. If you were to lease a dedicated server then your monthly bill would be very expensive.
If you want to rely on a full node in order to better know if transactions to you were actually received or not, then I would suggest creating a watch-only wallet on bitcoind that is running on your full node, keep your private keys stored locally, then verify with bitcoind to make sure the transaction was actually confirmed by the network.
|
|
|
|
|
achow101
Moderator
Legendary
Offline
Activity: 3374
Merit: 6535
Just writing some code
|
|
July 15, 2015, 12:29:31 AM |
|
You don't want to do this. (bitnodes.io does not actually host any nodes, they simply keep a list of all of them by monitoring the bitcoin network).
Actually that is getaddr.bitnodes.io. If you go to just bitnodes.io, you will see that they provide VPS's. |
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2870
Merit: 2298
|
|
July 15, 2015, 12:36:27 AM |
|
You don't want to do this. (bitnodes.io does not actually host any nodes, they simply keep a list of all of them by monitoring the bitcoin network).
Actually that is getaddr.bitnodes.io. If you go to just bitnodes.io, you will see that they provide VPS's. It looks like I was mistaken. From the looks of it, the cheapest one you would be able to run a full node on would cost roughly $22 per month, which is expensive for a full node (there are many other VPS providers that can provide sufficient capacity for a lower price. Even this kind of instance may not be enough however because only 48 GB of SDD space would be available and I am not sure that is enough to store bitcoind and the blockchain and dependencies. The next least expensive specs would cost roughly $43 per month and it would be sufficient to handle running a full node. |
|
|
|
|
|
fbueller
|
|
July 15, 2015, 01:12:23 PM |
|
then what is the standard process of running bitcoin core as a hot wallet?
There is none. It's hard to get right, and only know there's a problem when you've been cleaned out :/ Most companies do not do this. Really can't discourage you enough from this path if you're asking questions this early. |
Bitwasp Developer.
|
|
|
fairglu
Legendary
Offline
Activity: 1100
Merit: 1030
|
|
July 17, 2015, 06:31:16 AM |
|
None ? No one running their bitcoin daemon on VPS and calling it through JSON-RPC ?
Doing it wall the time for explorers, but the daemon's wallet is always empty: there are too many things that can go wrong in terms of security with a VPS-hosted wallet (security issues in the RPC API, Linux bugs, security issues in the virtualization layer that end up giving other VPS on the same host access to your files, and just plain negligence at the company hosting the VPS which could be social-engineered to provide access to another party). If you really really want to host some funds on a "cloud" machine, at least go for a dedicated server, and restrict RPC access by firewall (not just .conf options) to your personal IPs. Lower specs dedicated servers can be found for the same price as higher specs VPS, but are vastly preferable in terms of performance and security IMHO. |
|
|
|
RocketSingh (OP)
Legendary
Offline
Activity: 1662
Merit: 1050
|
|
July 22, 2015, 12:49:10 PM |
|
None ? No one running their bitcoin daemon on VPS and calling it through JSON-RPC ?
Doing it wall the time for explorers, but the daemon's wallet is always empty: there are too many things that can go wrong in terms of security with a VPS-hosted wallet (security issues in the RPC API, Linux bugs, security issues in the virtualization layer that end up giving other VPS on the same host access to your files, and just plain negligence at the company hosting the VPS which could be social-engineered to provide access to another party). If you really really want to host some funds on a "cloud" machine, at least go for a dedicated server, and restrict RPC access by firewall (not just .conf options) to your personal IPs. Lower specs dedicated servers can be found for the same price as higher specs VPS, but are vastly preferable in terms of performance and security IMHO. Those are costly solution. So, is it the case, that blockchain.info or similar APIs are the only solution to send/receive bitcoin in a secure way ? |
|
|
|
d4n13
Full Member
Offline
Activity: 210
Merit: 101
“Create Your Decentralized Life”
|
|
July 22, 2015, 06:24:26 PM
Last edit: July 23, 2015, 01:04:50 PM by d4n13 |
|
What is the point of telling me that things are unsafe or not recommended, if you dont have a better solution ? I do understand that JSON-RPC may be unsafe and running a node as a wallet on the web is unsafe as well. But, then what is the solution for a hot wallet ?
p.s. I am well aware of the available web APIs, but I dont want to get restricted by their limitations.
OK... I'll take the bait.... As the people here have said... the hard core coiners keep their funds on a cold machine, and only put them on the hot machine after they are signed. If your have your 401k in BTC that is the only way to fly. Now the further you get away from that hyper-paranoid config, the higher the risk of getting your coins stolen by someone who finds a kink in your security. What you propose... a remotely accessable hot wallet is about as far away from cold storage as you can get... but for the sake of having said... here's how to do it. First off... spend about $30 on some good books covering SSL if you are not extensively aware of the protocol and shortcomings. Assuming you have already done this and have a solid grasp of SSL fundamentals... here's my suggestions. - Make a self-signed cert, and keep the fingerprint handy to check on connection.
- Encrypt your server's HD offering system level encryption
- Add account level encryption (ie EFS) to all files that contain security info
- Read up on all the bitcoin{-qt/d} parameters. The config file are the parameters without the "-" with an added "=" at the end
- rpcssl=1 - Turns on SSL
- rpcsslciphers=TLSv1.2+HIGH:!SSLv3!SSLv2:!aNULL:!eNULL:!AH:!3DES:@STRENGTH - From your SSL book... screw this up and your toast, most systems breached screw this up
- rpcsslcertificatechainfile=server.cert - This will be that expensive cert you bought
- rpcsslprivatekeyfile=server.pem - The cert you signed (7) with before it was countersigned. This is in the clear!!! so hopefully you encrypted the snot out of it it (2) and (3)
- server=1 - Turns the server on
- rpcuser={userid} - Please, make this a random collection of 128 characters, letters, symbols, and punctuation, unfortunately, I don't think spaces parse clean.
- rpcpassword={userid} - Same as above, and if you make rpcpassword and walletpassphrase the same, you deserve to lose your coins.
- rpcallowip={mask} - Best to determine an IP range you will make incoming calls from. Easy way to do this is buy a VPN, then bind to your VPN range. Better than nothing.
- Only use Basic Auth, and NEVER... EVER put your RPC password in the GET URL... EVER!!
- Only ever connect with SSL (no http://), and validate the exact fingerprint against (1)
- Because of (13,14) you can't use any of the available bitcoin modules. You will have to write your own. Python 2.7.10 with the requests module is a good start.
- Know the OpenSSL library your Python and Bitcoin binaries are bound to and learn how to rebuild with the current releases if necessary
- Check for OpenSSL vulnerabilities daily, and take your server down if any CVE effecting you is released until you can rebuild
If you only keep $20 in your RPC open hot-wallet, no biggie. If you keep $100, begin to think about getting all the way to (17), if you keep thousands in it, then become a security hound and test your metal with as hardened a server as you can build. This list is by no means complete... it is just what I thought up over my sandwich at lunch.. Good luck. |
|
|
|
d4n13
Full Member
Offline
Activity: 210
Merit: 101
“Create Your Decentralized Life”
|
|
July 22, 2015, 07:06:10 PM |
|
You are most likely going to want to lease a VPS to run a full node, and whenever you spend funds stored in your wallet, your private keys are going to be temporarily unencrypted in your VPS's RAM and you would be exposed to possible side channel attacks. If you were to lease a dedicated server then your monthly bill would be very expensive.
If this is the case... might be a good pull request. Last time I walked through the OpenSSL code, they were using secure buffers... encrypted memory. Yes, it would stand to reason that the key for the membuffer would be somewhere in there as well, but that turns the hack into more of a needle / haystack problem rather than a simple memcat. If I dont do it on the web, then what is the standard process of running bitcoin core as a hot wallet?
I think some on this thread are juggling terms. I (possibly in err) define a "hot wallet" as a wallet that is running on a machine that has a network connection. I define "cold wallet" as a wallet running on a machine that has no network hardware. So yes... 99.99% of the wallets out there are "hot" since you usually need a soldering iron the make a machine "cold". By that terminology, "hot" does not imply "hot+server". Most people run on "hot" machines and simply don't allow incoming peer / RPC connections. Most run apps like electrum. They simply keep their wallet on their phone. For the security guru's... they pull out the soldering iron and make their machine "cold". Then they spend their coin on their cold machine and carry the transaction over to a hot machine to transmit. Term is "sneaker-net". Those are costly solution. So, is it the case, that blockchain.info or similar APIs are the only solution to send/receive bitcoin in a secure way ?
Good Lord no!!! Keeping your private keys yourself is generally considered safer than using a web-wallet. Some web-wallets have high praise, and may be good options for you, but there are certainly those here (me) that believe being in position of your own keys, although hard, is the most responsible thing. Easiest thing... just grab your favorite Android / IOS wallet and figure out how to back up the wallet regularly. Use this app to send / receive coin. 80% safe (possibly more) |
|
|
|
jl2012
Legendary
Offline
Activity: 1792
Merit: 1092
|
|
July 23, 2015, 05:53:23 AM |
|
search "vps bitcoin hack" on google and you should know this is not a very good idea
|
Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
|
|
|
|
