Bitcoin Forum
December 10, 2019, 11:52:04 PM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: RPC vulnerability - protect your testnets  (Read 121 times)
phwizard
Jr. Member
*
Offline Offline

Activity: 32
Merit: 15


View Profile WWW
September 06, 2019, 03:01:49 PM
Merited by hugeblack (1)
 #1

Hi all,

just wanted to warn those of you who like us are exposing your own blockchain / testnet via RPC, you need to take extra measures to protect against bot attacks there.

In our case someone (likely an automated script) has been able to access our Ethereum based development testnet via an open RPC port and transfer virtual Ether from a coinbase account. Luckily it wasn't a real currency and just a development testnet. However this shows are there are automated scripts / bots out there scanning for these kind of vulnerabilities.

Quick solution is to change port number from a default 8545 to some other arbitrary value.
Proper solution would be use Linux firewall and/or IP whitelisting.

More details in our blog post here:
https://www.dappros.com/201908/report-attack-on-dappros-platform-testnet/
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1576021924
Hero Member
*
Offline Offline

Posts: 1576021924

View Profile Personal Message (Offline)

Ignore
1576021924
Reply with quote  #2

1576021924
Report to moderator
ETFbitcoin
Legendary
*
Offline Offline

Activity: 1848
Merit: 2123

Use SegWit and enjoy lower fees.


View Profile WWW
September 06, 2019, 05:37:19 PM
 #2

Thanks for the information, but does the vulnerability applies to Bitcoin Core, other Bitcoin full node client or other cryptocurrency client which forked from Bitcoin Core?

gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2898
Merit: 2862



View Profile
September 08, 2019, 01:10:42 PM
Merited by darosior (2), ETFbitcoin (1)
 #3

Bitcoin Core's RPC interface is secure by default and at least slightly difficult to make insecure.
phwizard
Jr. Member
*
Offline Offline

Activity: 32
Merit: 15


View Profile WWW
September 09, 2019, 10:37:57 AM
Last edit: September 09, 2019, 11:13:40 AM by phwizard
 #4

Thank you for your comments here ETFbitcoin and gmaxwell. I've only had experience with Ethereum vulnerability here but assumed this would apply to other networks.

RPC vulnerability is something that has been highlighted to me by cybersecurity experts when we discussed blockchain nodes vulnerability in general. Once you expose your RPC that is a threat.

Good to know Bitcoin Core is better protected there.

I think market needs some sort of OWASP top 10 / blockchain-specific vulnerability scanning solution to help developers protect their nodes and testnets here, not even mentioning production enterprise implementations.
Foxpup
Legendary
*
Offline Offline

Activity: 2758
Merit: 1820


Vile Vixen


View Profile
September 09, 2019, 12:12:54 PM
 #5

I've only had experience with Ethereum vulnerability here but assumed this would apply to other networks.
More details in our blog post here:
Quote
By default, the Ethereum RPC doesn’t have any authentication methods, unlike Bitcoin.
Would you please actually read what your writers contribute to your blog before repeatedly posting advertisements for it disguised as normal forum discussion? Thanks.

Will pretend to do unspeakable things (while actually eating a taco) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4
phwizard
Jr. Member
*
Offline Offline

Activity: 32
Merit: 15


View Profile WWW
September 09, 2019, 01:58:39 PM
 #6

Foxpup:

We have just shared our own experience. It's not a hired writer or some marketing b/s. The post has been written jointly by my software developer and myself. I've received thanks and comments from a telegram crypto community I've posted that into. I'm not sharing information here that I don't think is useful for community.

Under other blockchains I meant the multitude other blockchains that may have the same RPC vulnerability issue. I understand this forum has "bitcoin" in its name but for me in such cases Bitcoin is a symbol of blockchain (and values behind it) generally, not a specific cryptocurrency. I believe Ethereum and other blockchains developers shouldn't be herded into altcoins sub-forum here but that is obviously up to esteemed members and moderators here. Feel free to delete this topic.

Best regards
Taras
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!