bitcoind security best practices?

[Fking]

I'm thinking of running bitcoind on my dedicated server where wallet.dat will be stored in a folder not accessible from internet.
I'll get shared hosting or VPS for the actual site but was wondering where to set the mysql DB?

I suppose since, the interactions with bitcoind will be only when receiving or sending money, and with the mysql DB much more often for all sort of things, would be better for usability to place it on the frontend?
How do you secure the communication between both servers?
If you have ssl for the communication between the frontend server and the client, can you use the same for the backdoor communication to the dedicated with bitcoind?


What would you guys do and what other security precautions you like to take when using bitcoind and wallet on a server?

[CIYAM]

Personally I would not put bitcoind on any VPS - is it such a problem to set up your own computer to do that?

[Schleicher]

It all depends on what you want to do with your Bitcoind.
Only sending Bitcoins? Or mining?

[Fking]

sending and receiving
i've got a dedicated anyway, so not gonna use a vps for bitcoind
vps or shared i might use for the site

the wallet will be encrypted, since commands to bitcoind will be sent from php script on the other server, will we need to transmit the wallet password between the servers?
how is best to protect the connection between the servers?

i'm gonna use ssl certificate for the site to user connection, but have no experience with backdoor server to server communications, neither with the bitcoind protocol, so excuse my newbie questions

[Insu Dra]

Use a SSL rpc connection true a secure and restrictive vpn tunnel.

added a nice ending the sentence. 

[Fking]

i see that bitcoind conf file has an option to use ssl

 -rpcssl                                  Use OpenSSL (https) for JSON-RPC connections
 -rpcsslcertificatechainfile=<file.cert>  Server certificate file (default: server.cert)
 -rpcsslprivatekeyfile=<file.pem>         Server private key (default: server.pem)
 -rpcsslciphers=<ciphers>                 Acceptable ciphers (default: TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!AH:!3DES:@STRENGTH)



i suppose we don't need to buy certificates for this server to server connection, how do we generate the needed files on our own?

[Gavin Andresen]

i suppose we don't need to buy certificates for this server to server connection, how do we generate the needed files on our own?

See: https://en.bitcoin.it/wiki/Enabling_SSL_on_original_client_daemon

[kjj]

The step about copying the chaining cert to the client is very important.  Without that step, an attacker can man-in-the-middle you.