Bitcoin Forum
June 21, 2024, 02:09:38 PM *
News: Voting for pizza day contest
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: bitcoind security best practices?  (Read 1524 times)
Fking (OP)
Full Member
***
Offline Offline

Activity: 136
Merit: 100


View Profile
November 06, 2012, 02:38:35 PM
 #1

I'm thinking of running bitcoind on my dedicated server where wallet.dat will be stored in a folder not accessible from internet.
I'll get shared hosting or VPS for the actual site but was wondering where to set the mysql DB?

I suppose since, the interactions with bitcoind will be only when receiving or sending money, and with the mysql DB much more often for all sort of things, would be better for usability to place it on the frontend?
How do you secure the communication between both servers?
If you have ssl for the communication between the frontend server and the client, can you use the same for the backdoor communication to the dedicated with bitcoind?


What would you guys do and what other security precautions you like to take when using bitcoind and wallet on a server?
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1078


Ian Knowles - CIYAM Lead Developer


View Profile WWW
November 06, 2012, 03:03:21 PM
 #2

Personally I would not put bitcoind on any VPS - is it such a problem to set up your own computer to do that?

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Schleicher
Hero Member
*****
Offline Offline

Activity: 675
Merit: 513



View Profile
November 06, 2012, 06:33:56 PM
 #3

It all depends on what you want to do with your Bitcoind.
Only sending Bitcoins? Or mining?

Fking (OP)
Full Member
***
Offline Offline

Activity: 136
Merit: 100


View Profile
November 06, 2012, 07:28:50 PM
 #4

sending and receiving
i've got a dedicated anyway, so not gonna use a vps for bitcoind
vps or shared i might use for the site

the wallet will be encrypted, since commands to bitcoind will be sent from php script on the other server, will we need to transmit the wallet password between the servers?
how is best to protect the connection between the servers?

i'm gonna use ssl certificate for the site to user connection, but have no experience with backdoor server to server communications, neither with the bitcoind protocol, so excuse my newbie questions Smiley
Insu Dra
Full Member
***
Offline Offline

Activity: 182
Merit: 100



View Profile
November 06, 2012, 08:49:58 PM
 #5

Quote
Use a SSL rpc connection true a secure and restrictive vpn tunnel.

added a nice ending the sentence.  Grin

"drugs, guns, and gambling for anyone and everyone!"
Fking (OP)
Full Member
***
Offline Offline

Activity: 136
Merit: 100


View Profile
November 15, 2012, 03:35:13 PM
 #6

i see that bitcoind conf file has an option to use ssl

 -rpcssl                                  Use OpenSSL (https) for JSON-RPC connections
 -rpcsslcertificatechainfile=<file.cert>  Server certificate file (default: server.cert)
 -rpcsslprivatekeyfile=<file.pem>         Server private key (default: server.pem)
 -rpcsslciphers=<ciphers>                 Acceptable ciphers (default: TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!AH:!3DES:@STRENGTH)



i suppose we don't need to buy certificates for this server to server connection, how do we generate the needed files on our own?
Gavin Andresen
Legendary
*
qt
Offline Offline

Activity: 1652
Merit: 2222


Chief Scientist


View Profile WWW
November 15, 2012, 07:35:18 PM
 #7

i suppose we don't need to buy certificates for this server to server connection, how do we generate the needed files on our own?
See: https://en.bitcoin.it/wiki/Enabling_SSL_on_original_client_daemon

How often do you get the chance to work on a potentially world-changing project?
kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1025



View Profile
November 15, 2012, 11:45:46 PM
 #8

The step about copying the chaining cert to the client is very important.  Without that step, an attacker can man-in-the-middle you.

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!