[ANN][DASH] Dash (dash.org) | First Self-Funding Self-Governing Crypto Currency

[falsealarm_bf]

Please add all of the above to the FAQ list otherwise more compromises will follow. People also need to understand that security is not a one time task. You will have to proactively scan your MN and remediate on an ongoing basis. If you are not able to do this, please host with a company that provides this service for a fee.

I want to host with a company that provides this service for a fee. I next concern will be for their security being a target by co locating so many MNs. There is still a risk hosting with a company.
[/quote]

Absolutely! Thus people who work in the IT security field know not to make a full guarantee of security ever. You promise to be proactive and remediate findings within a certain period of time, and beyond that is all luck. If someone intends to compromise you, it's a matter of when. Your responsibility as the system owner is to make it financially unfeasible to do so.

[1715442158]

1715442158

[1715442158]

1715442158

[falsealarm_bf]

I hate to say this, but handing out an ISO for a MN is in a very real way analogous to handing out condoms to horny teenagers.  You can tell them not to fuck all you want, but they're still going to do it.  At least if they have rubbers they're less likely to get the drip-dick or pregnant.

In this case, if MNs get a rep for being a major Achilles heel to the coin and people start looking elsewhere, we're all screwed.  All of us.

It's not my preference, believe me, but in the bigger picture it may be the safer thing to do.  Anyone who's ever run a business will understand the need to eat a shit sandwich for the greater good now and then.

Use of ISOs is a bad idea. What needs to be done is a published set of standards for hardening, a baseline for all OSes, then a set of standards for operations and maintenance for ongoing scans, remediation.

[eltito]

I hate to say this, but handing out an ISO for a MN is in a very real way analogous to handing out condoms to horny teenagers.  You can tell them not to fuck all you want, but they're still going to do it.  At least if they have rubbers they're less likely to get the drip-dick or pregnant.

In this case, if MNs get a rep for being a major Achilles heel to the coin and people start looking elsewhere, we're all screwed.  All of us.

It's not my preference, believe me, but in the bigger picture it may be the safer thing to do.  Anyone who's ever run a business will understand the need to eat a shit sandwich for the greater good now and then.

Use of ISOs is a bad idea. What needs to be done is a published set of standards for hardening, a baseline for all OSes, then a set of standards for operations and maintenance for ongoing scans, remediation.

And  how do you propose to make anyone give a fuck about following these things?

Far more importantly, how many cases of what happened to the guy a few pages back do you think there will need to be before the troll brigades have half the world convinced that DRK is somehow unsafe because of idiots running masternodes?  Doesn't matter if it's true or not.  Perception is truth in practice, and it's all that matters in this case.

[raze182]

I hate to say this, but handing out an ISO for a MN is in a very real way analogous to handing out condoms to horny teenagers.  You can tell them not to fuck all you want, but they're still going to do it.  At least if they have rubbers they're less likely to get the drip-dick or pregnant.

In this case, if MNs get a rep for being a major Achilles heel to the coin and people start looking elsewhere, we're all screwed.  All of us.

It's not my preference, believe me, but in the bigger picture it may be the safer thing to do.  Anyone who's ever run a business will understand the need to eat a shit sandwich for the greater good now and then.

+1

Like I said a month and a half ago: "Precisely why we need a comprehensive, idiot-proof guide to help people set them up. Not because they should, but because they inevitably will whether we like it or not, especially when there's profit to be had."

[predatorkill]

Anyone know why the masternode stats page keeps hanging browsers (or my browsers at least) ?

i.e. this one:

http://drk.poolhash.org/darksend.html

no hang on me, chrome latest version

[anonymousxx1503]

DRK is now the 4th place. Please, vote:

https://sharexcoin.com/votings



Must register. A new coin is chosen daily.

Why do we need this second rate exchange now? Someones needs to give a nice DRK tip to BTC-E owners.

[splawik21]

thank you very much for the help over skype, it seems that the hacker could enter my vps, don't know how exactly but he did
he will post on darkcointalk some advice and tips to not have the same issue as me

if someone can help me in any way please send some tip on my darkcoin wallet
XhGwaKJPMdqEyMU85QBReNNMzVGKDW2EPz

So here was the issue(s).

 It appears there is someone that is pulling all the masternodes from the wallet and running scripts on them to hack in.

And in this case they was able to gain access via SSH, so it had nothing to do with problems in the wallet/daemon/masternode itself.

• The firewall was not running, so all ports were open
• Root access via SSH was allowed
• OpenSSL v1.0.1f was installed on the server
• The password to unlock the wallet was still in bash history command
• The root password was less than 8 characters

My recommendations:

• DO NOT allow root ssh access
• Only open port 9999 in your firewall to the world
• Only open port 22 (SSH) to a trusted ip
• Setup SSH to use certificates for logging in
• Do not run any application on the server that you dont have to
• Encrypt you wallet
• Clear your bash history

There are more, but this would have secured this server.

If any of you can spare a few darkcoins to help this person, he lost 999DRK because of the above issues.

his wallet address is XhGwaKJPMdqEyMU85QBReNNMzVGKDW2EPz

He learned the HARDWAY how not to setup your masternode. I will be putting together a list of things to check and an ISO and AMI for people to use with MOST of the issue addressed, you will still be responsible for checking any think I missed and verify it works for your setup.

His lose WILL help everyone else by showing what you MUST setup so please help him where you can. I will pull some together myself to send.

[falsealarm_bf]

I hate to say this, but handing out an ISO for a MN is in a very real way analogous to handing out condoms to horny teenagers.  You can tell them not to fuck all you want, but they're still going to do it.  At least if they have rubbers they're less likely to get the drip-dick or pregnant.

In this case, if MNs get a rep for being a major Achilles heel to the coin and people start looking elsewhere, we're all screwed.  All of us.

It's not my preference, believe me, but in the bigger picture it may be the safer thing to do.  Anyone who's ever run a business will understand the need to eat a shit sandwich for the greater good now and then.

Use of ISOs is a bad idea. What needs to be done is a published set of standards for hardening, a baseline for all OSes, then a set of standards for operations and maintenance for ongoing scans, remediation.

And  how do you propose to make anyone give a fuck about following these things?

Far more importantly, how many cases of what happened to the guy a few pages back do you think there will need to be before the troll brigades have half the world convinced that DRK is somehow unsafe because of idiots running masternodes?  Doesn't matter if it's true or not.  Perception is truth in practice, and it's all that matters in this case.

The ultimate solution would be to enforce certain standards from within code. Not impossible, but not feasible either. I agree with the perception problem. However, if an exhaustive list of standards is published, then the general public would have no course for propagating their false perceptions of risk with running a masternode. We need to at least make people aware of alternate hosting options under a managed service contract, etc. The way things currently are we are throwing lambs to wolves.

[palawan]

Amazon AWS EC2

I'm not sure why this is the recommended way to run a masternode, but I can tell you I have enough for 1 MN and I was  planning to run one (on the day we had so much problems which stopped my plan).

I never considered Amazon EC2 as an option because of security.

I have an Amazon EC2 server right now.  I'm connected to it.  It's my OpenVPN server and also my PPTP server (for tablets/cell phones).  I've had at least 1 EC2 instance for over a year so it hasn't been free for me for many months now.  I still pay.  I like my server.  Nothing on it that's worth anything if a hacker hacks it.

So why I never considered an EC2 as a masternode?  It's because the EC2 has 2 IP addresses.  One on the internet (which everyone in the world can see).  This IP address is quite secure (oddly enough) per your Security Group definition.

The private IP is the problem.  It will look something like this  10.2xx-1xx-61.  I was able to ssh to the private IP from one EC2 to another (using certificate, of course, don't consider username/password).  So other ports are also open.  Even if they are not open on the Security Group/Internet IP.  This is now a matter of securing your EC2 applications/OS/network-FW.

One of the EC2's I was running in the past was an Asterisk VoIP server.  Fail2Ban was full of attempted attacks from China, Brazil, etc.  Why was it odd?  Well my Security Group was defined to only accept connections from Tmobile network and other networks I defined.  My Internet IP was not reachable outside of those networks.  But the "private" IP shared with everyone on the Amazon cloud (i.e. Netflix, maybe I should hack them, lol) was accessible to these hackers.  Think of your home network shared with thousands and thousands of unknown's.  Sure, your Windows XP box is secure with a firewall (lol), but against thousands of attackers, it will probably fall.

I would not run a Masternode on a VPS and definitely not on an Amazon EC2.

I have this as my stratum-server   http://goo.gl/cpFXg8     upgraded to 2GB.  It's low power.  No need for a hard drive.  Install Linux on a USB 16GB  (around $12).  Plug in temporarily to monitor during setup.  Afterwards; ssh with byobu-enabled (screens but better).  What more you need?  This behind my ddwrt router which I have full control, I can trust to run my Masternode with only port 9999 open.  I don't think Masternode needs RPC.

Just my .02 DRK humble suggestion...

[Ozziecoin]

guys
where was the mistake he did so smb stole his coins? can you put it in bold so nonody will do the same mistake again?

He did not shutdown ports is biggest error, IMHO.

[CryptoPleb]

I think cold storage and ISO's are going to be an evil necessity. It would be nice to have only 100% linux competent people run masternodes but that shit aint gonna happen.

[Raggie]

Quote from: Raggie on Today at 04:17:36 AM
I guess those XC pumpers dont want ppl to buy sync. So they played with the market during their pump. Make it looks like ppl were dumping sync for XC.

There were whale miners with them dumping mined sync on purpose also,just want ppl to buy other coins which is being pumped. And, those pumpers&miners holding a lo...t of XC waiting to dump to us at a pumped price.

Same thing happening with DARK now.  They don't like ppl to buy dark.  Pump xc because they need to sell.. you guess what？ sell their hardwares. Dark coin block reward decrease when diff go up.So we lessly want to buy new hardwares, and they don't like this.  


Let us Hold dark,and rip XC.

[eltito]

I hate to say this, but handing out an ISO for a MN is in a very real way analogous to handing out condoms to horny teenagers.  You can tell them not to fuck all you want, but they're still going to do it.  At least if they have rubbers they're less likely to get the drip-dick or pregnant.

In this case, if MNs get a rep for being a major Achilles heel to the coin and people start looking elsewhere, we're all screwed.  All of us.

It's not my preference, believe me, but in the bigger picture it may be the safer thing to do.  Anyone who's ever run a business will understand the need to eat a shit sandwich for the greater good now and then.

Use of ISOs is a bad idea. What needs to be done is a published set of standards for hardening, a baseline for all OSes, then a set of standards for operations and maintenance for ongoing scans, remediation.

And  how do you propose to make anyone give a fuck about following these things?

Far more importantly, how many cases of what happened to the guy a few pages back do you think there will need to be before the troll brigades have half the world convinced that DRK is somehow unsafe because of idiots running masternodes?  Doesn't matter if it's true or not.  Perception is truth in practice, and it's all that matters in this case.

The ultimate solution would be to enforce certain standards from within code. Not impossible, but not feasible either. I agree with the perception problem. However, if an exhaustive list of standards is published, then the general public would have no course for propagating their false perceptions of risk with running a masternode. We need to at least make people aware of alternate hosting options under a managed service contract, etc. The way things currently are we are throwing lambs to wolves.

With all due respect, of course they would.  The disinformation campaign would simply ignore its existence while they reached out to FAR wider audiences of people ignorant of the details.

Once people have their minds made up for them in that way it is very hard to get them back in any meaningful quantities.

[TingCoin]

hello there is a a backdoor in the version 10.8.8 i have been stolen 999 dark coin from my master node
here is my wallet address http://chainz.cryptoid.info/drk/address.dws?XfNfxwfQpVKccGprG6PdRWT2UtMGoM9gCL.htm

it has been moved to this wallet XwKx3mWB9ncJo5ZudqyEZ1MoQWMSmE3CwP

it seems either the devs or someone who gave the version given on darkcoin.io got a backdoor


here is the log of my masternode server
 st login : from 192.162.103.175

Can you give a little more info, did you have the wallet encrypted? How was your darkcoin.conf setup?

the wallet was encrypted by  a hard password
the wallet was started as use and not root
i have changed the ssh port from 22 to another
installed fail2ban
did all security thing and still got hacked
the starge thing is that it has been sent only 999 and not all of the darks which is 1000.6
the walet that received the dark is XwKx3mWB9ncJo5ZudqyEZ1MoQWMSmE3CwP
is there anything to do to block that wallet adress? before he move it somewhere else and sell ?

 The ONLY way I can see that someone could do that is if you left the RPC port open in firewall and the rpcuser and rpcpassword was really easy. Even then they would have to know the password that you encrypted the wallet with. Did you maybe use the same password for rpcuser and the password you used to encrypt the wallet? Are you running apache on the server and maybe the user that you started apache with has read access to the directory where you conf file is? Need more info

thank you very much for the help over skype, it seems that the hacker could enter my vps, don't know how exactly but he did
he will post on darkcointalk some advice and tips to not have the same issue as me

if someone can help me in any way please send some tip on my darkcoin wallet
XhGwaKJPMdqEyMU85QBReNNMzVGKDW2EPz

I don't think it was mentioned anywhere, but I just want to make sure. This guy obviously setup the MN with the coins stored on the MN box, right?

[hashmoon]

Masternode Payments and Beyond

https://darkcointalk.org/threads/masternode-payments-and-beyond.921/

is there twitter for dev news like this?

[CryptoPleb]

Amazon AWS EC2

I'm not sure why this is the recommended way to run a masternode, but I can tell you I have enough for 1 MN and I was  planning to run one (on the day we had so much problems which stopped my plan).

I never considered Amazon EC2 as an option because of security.

I have an Amazon EC2 server right now.  I'm connected to it.  It's my OpenVPN server and also my PPTP server (for tablets/cell phones).  I've had at least 1 EC2 instance for over a year so it hasn't been free for me for many months now.  I still pay.  I like my server.  Nothing on it that's worth anything if a hacker hacks it.

So why I never considered an EC2 as a masternode?  It's because the EC2 has 2 IP addresses.  One on the internet (which everyone in the world can see).  This IP address is quite secure (oddly enough) per your Security Group definition.

The private IP is the problem.  It will look something like this  10.2xx-1xx-61.  I was able to ssh to the private IP from one EC2 to another (using certificate, of course, don't consider username/password).  So other ports are also open.  Even if they are not open on the Security Group/Internet IP.  This is now a matter of securing your EC2 applications/OS/network-FW.

One of the EC2's I was running in the past was an Asterisk VoIP server.  Fail2Ban was full of attempted attacks from China, Brazil, etc.  Why was it odd?  Well my Security Group was defined to only accept connections from Tmobile network and other networks I defined.  My Internet IP was not reachable outside of those networks.  But the "private" IP shared with everyone on the Amazon cloud (i.e. Netflix, maybe I should hack them, lol) was accessible to these hackers.  Think of your home network shared with thousands and thousands of unknown's.  Sure, your Windows XP box is secure with a firewall (lol), but against thousands of attackers, it will probably fall.

I would not run a Masternode on a VPS and definitely not on an Amazon EC2.

I have this as my stratum-server   http://goo.gl/cpFXg8     upgraded to 2GB.  It's low power.  No need for a hard drive.  Install Linux on a USB 16GB  (around $12).  Plug in temporarily to monitor during setup.  Afterwards; ssh with byobu-enabled (screens but better).  What more you need?  This behind my ddwrt router which I have full control, I can trust to run my Masternode with only port 9999 open.  I don't think Masternode needs RPC.

Just my .02 DRK humble suggestion...

This is why Im moving mine to a dedicated server.
I just cant settle on where.

[raze182]

Masternode Payments and Beyond

https://darkcointalk.org/threads/masternode-payments-and-beyond.921/

is there twitter for dev news like this?

https://twitter.com/DarkcoinCrypto

[baddw]

In other news, the DRK price has traded within a relatively narrow range for the past several hours on Mintpal, roughly from .017 to .0185 (and in the past 2 hours even tighter within .0175 to .0182), on lower than usual volume.  The buywalls have been generally taller and more durable than the sellwalls, but there simply hasn't been much action.  Current price, .01778, a good 150BTC buywall at or above .0170, and 104BTC in a more gently sloped sell stack at or under .0190.  Volume around 21BTC in the past hour.

[baddw]

Amazon AWS EC2

I'm not sure why this is the recommended way to run a masternode, but I can tell you I have enough for 1 MN and I was  planning to run one (on the day we had so much problems which stopped my plan).

I never considered Amazon EC2 as an option because of security.

I have an Amazon EC2 server right now.  I'm connected to it.  It's my OpenVPN server and also my PPTP server (for tablets/cell phones).  I've had at least 1 EC2 instance for over a year so it hasn't been free for me for many months now.  I still pay.  I like my server.  Nothing on it that's worth anything if a hacker hacks it.

So why I never considered an EC2 as a masternode?  It's because the EC2 has 2 IP addresses.  One on the internet (which everyone in the world can see).  This IP address is quite secure (oddly enough) per your Security Group definition.

The private IP is the problem.  It will look something like this  10.2xx-1xx-61.  I was able to ssh to the private IP from one EC2 to another (using certificate, of course, don't consider username/password).  So other ports are also open.  Even if they are not open on the Security Group/Internet IP.  This is now a matter of securing your EC2 applications/OS/network-FW.

One of the EC2's I was running in the past was an Asterisk VoIP server.  Fail2Ban was full of attempted attacks from China, Brazil, etc.  Why was it odd?  Well my Security Group was defined to only accept connections from Tmobile network and other networks I defined.  My Internet IP was not reachable outside of those networks.  But the "private" IP shared with everyone on the Amazon cloud (i.e. Netflix, maybe I should hack them, lol) was accessible to these hackers.  Think of your home network shared with thousands and thousands of unknown's.  Sure, your Windows XP box is secure with a firewall (lol), but against thousands of attackers, it will probably fall.

I would not run a Masternode on a VPS and definitely not on an Amazon EC2.

I have this as my stratum-server   http://goo.gl/cpFXg8     upgraded to 2GB.  It's low power.  No need for a hard drive.  Install Linux on a USB 16GB  (around $12).  Plug in temporarily to monitor during setup.  Afterwards; ssh with byobu-enabled (screens but better).  What more you need?  This behind my ddwrt router which I have full control, I can trust to run my Masternode with only port 9999 open.  I don't think Masternode needs RPC.

Just my .02 DRK humble suggestion...

Can you not just shutdown all ports on the private IP?

[baddw]

guys
where was the mistake he did so smb stole his coins? can you put it in bold so nonody will do the same mistake again?

He did not shutdown ports is biggest error, IMHO.

I don't think shutting down ports would have done him any good as long as he kept 22 open.  My vote is for root access through SSH + easy root password.  Really though it was a CF all around, and changing any one of several things could have prevented the attack.

Really, though?  Who the HELL puts a machine on the Internet allowing root access through SSH?!  And without, like, a 15+ character password?  ALWAYS use sudo, ALWAYS use difficult passwords for all sudoers, ALWAYS have somewhat obscure usernames for valid SSH logins (not "john" or some crap).