Bitcoin Forum
June 20, 2024, 05:21:08 AM *
News: Voting for pizza day contest
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Please stop using rpcallowip=* in your Configuration Examples  (Read 7126 times)
dreamwatcher (OP)
Legendary
*
Offline Offline

Activity: 1064
Merit: 1000


View Profile WWW
January 16, 2014, 02:18:00 AM
Last edit: January 16, 2014, 02:42:19 AM by dreamwatcher
 #1

I have been noticing a trend of really bad configuration file examples lately. While most are harmless, one parameter poses a large security risk to the user.

Code:
rpcallowip=*

1. rpcallowip is only needed in special situations where one wants to allow the client/daemon to accept RPC connections outside the localhost. Generally solo miners who want to point their rigs to a single daemon on the network.

2. rpcallowip=*  tells the client/daemon to accept RPC connections from anybody-anywhere. If the rpcallowip setting is needed, restrict it to a certain IP address or network. For example:
Code:
rpcallowip=192.168.1.*

This will restrict connections to hosts 192.168.1.0 - 192.168.1.255(The typical private subnet used on home networks)

Other oddballs:

Code:
rpcport=<port> or port=<port>
Unless you need to change the RPC or P2P port from the default in the client/daemon, there is no need for this.
Code:
daemon=1 or listen=1
Any of these extra settings are not needed and they are on by default or in the case of daemon=1 normally passed as a command line option as it only effects the non gui command line daemon.


A typical user configuration file only needs:

Code:
server=1
This is even optional as it sets the QT client to accept RPC commands, but harmless if set and not used. Some QT clients need this to use the RPC console in the debug menu.

Code:
rpcuser=<username>
Required for the most part

Code:
rpcpassword=<password>
 Required for the most part.



Other useful parameters:

Code:
addnode=<IP>
 This gives the client/daemon a node to try every time it starts. Useful for new coins with no seed nodes hard coded in the source, or new coins with few nodes.

Code:
txindex=1
 This tells the client/daemon to build a full transaction index and allow one to retrieve non-wallet transactions typically through the "getrawtransaction <txid> 1" command. If added after the client has already started building or has built the block chain database, the switch "-reindex" will need to be used one time after the parameter has been added.




o24
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
January 16, 2014, 05:29:37 AM
 #2

Thanks for the information
markm
Legendary
*
Offline Offline

Activity: 2940
Merit: 1090



View Profile WWW
January 16, 2014, 05:35:27 AM
 #3

While you are at it maybe for people who set up exchanges on shared hosting all the ancient GCI-script etc advices saying to use chmod 777 could also be worth warning against...

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
ripplebtc
Sr. Member
****
Offline Offline

Activity: 277
Merit: 250


View Profile
January 16, 2014, 08:05:55 AM
 #4

Thank you for your reminding  Smiley
coinedge
Newbie
*
Offline Offline

Activity: 11
Merit: 0


View Profile
January 16, 2014, 08:17:15 AM
 #5

thank you for the info. So we don't even need rpcallowip= <local host>?
With the user name and pass, do you create that yourself and make sure it matches the .conf?
Or do we use the shortcut target "-server" method for all coins?
antontang
Member
**
Offline Offline

Activity: 82
Merit: 10


View Profile
January 16, 2014, 08:22:38 AM
 #6

Your help would be very appreciated
markm
Legendary
*
Offline Offline

Activity: 2940
Merit: 1090



View Profile WWW
January 16, 2014, 10:17:23 AM
 #7

The loopback address ( 127.0.0.1 aka localhost ) works without needing special mention in the config file or commandline args.

Which of course is yet another reason not to run on a shared machine.

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
dreamwatcher (OP)
Legendary
*
Offline Offline

Activity: 1064
Merit: 1000


View Profile WWW
January 17, 2014, 02:38:09 PM
 #8

While you are at it maybe for people who set up exchanges on shared hosting all the ancient GCI-script etc advices saying to use chmod 777 could also be worth warning against...

-MarkM-


Yes, I have seen a bit of that also. I would also think those who have set up services would have more knowledge then the average newbie trying to set up a wallet.

Especially cringe worthy to me are coin service providers that use phpMyAdmin to manage databases on services that handle users coins. I admit to using it on coin explorers, mostly the server with the CCE3 test explorers, but never on any of my sites that handle other peoples coins (My pools). The command line console for mysql is not that hard to learn and use and MANY times more secure then phpMyAdmin.
Call me old fashioned, but I want as few ports and exposure to the Internet as possible when handling other peoples assets.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!