Looking for advice on a full node

[nortwood]

Should we be running v0.21.1? It calls it experimental in Raspiblitz.

[HCP]

Been checking around with my network configuration, but still couldn't figure it out. Until I set the bitcoin.conf with rpcallowip=127.0.0.1/0, and it is workings fine. By setting up that conf, would it fix the the actual problems and its safe to procced?

All that is doing is allowing RPC connections from the local machine... I can't really comment as to whether or not its "safe to proceed" as I'm not sure what the rest of your setup is doing.

I gave up on RaspiBolt very early on, and when straight to RaspiBlitz... it seems to take care of most of that setup automagically... with the downside being that running other things like your RaspAP might not be possible etc.

I recently setup a headless raspiblitz running on a naked RPi4 8gb as well. I've got a passive aluminum case (which I like more than the fans) but haven't disconnected it yet. I have had some performance issues. Ultimately uninstalled mempool. The RPi was doggish and the mempool didn't provide as much info as mempool.space. I guess I had just assumed it would have everything.   

What is missing compared with mempool.space? It seemed pretty similar to me... although I can't really check now, because I deleted RaspiBlitz and installed Umbrel to check that out. The version on Umbrel seems pretty complete (it just doesn't have other chains available for obvious reasons) although it is a slightly older version 2.1.2 on Umbrel vs 2.2.1-dev on mempool.space

I haven't really noticed much in the way of performance issues... but then I didn't really test it much... and don't really have a baseline to compare to (ie. I haven't just setup an OS with bare bitcoind and lnd etc.

Also, I'm surprised that "pi" wasn't deleted and I wonder how secure that is. That seems less than ideal based on what I've read from installing other instances on RPi's. But I'm not technically advanced enough to know for sure if that's just less of an issue with tor, assuming it was during download.

I'm not sure what you mean by "pi" not being deleted? Do you mean there is a "pi" user account or something? Again, I can't check because as mentioned above, I deleted RaspiBlitz and installed Umbrel... it doesn't have a "pi" user.

[nortwood]

What is missing compared with mempool.space?

The graph only goes back to the date I installed it and when I looked up some donation addresses it only showed the current balance without the coin history that the website does. 

I have electr, specter, btcpayserver, joinmarket, sphynx, RTL, and mempool all running and it's not bad depending on my tor connection. It's just a bit doggish loading mempool. Apparently I misspoke and it was btcrpcexplorer that I had the most issues with and uninstalled. I couldn't clear all of the npm issues.

Do you mean there is a "pi" user account or something?

   

Yes, it's one of the first things stressed that one should do during other RPi installs. Particularly if you're online with open ports. Perhaps tor functions in a different manner, but my understanding is that bots scan ports and user "pi" with password "raspberry" is very common. So it's stressed to remove "pi" before going online. I'm not sure if I was online for 3 days downloading with open ports over clearnet with a common user/pass. For that matter I'm not sure if "pi" is required for the install to work properly.   

[HCP]

Oh ok... yeah the graph data not being available makes sense because that is data that the service is recording live based on mempool activity that it is observing... it's not information that can be derived from the historical blockchain data.

So, if the service wasn't running, it obviously can't observe that data

Not sure about the address history being missing tho, that seems like the node hasn't finished indexing properly or something... or that the data is pruned for some reason.

By default, I don't think Raspiblitz has txindex=1 set and you have to explicitly turn that on in the settings.

On Umbrel, it seems like mempool and btc-rpc-explorer are actually setup to use the underlying electrum server (ie. electrs) to retrieve address information. I'm not sure if RaspiBlitz operates the same way.

Yes, it's one of the first things stressed that one should do during other RPi installs. Particularly if you're online with open ports. Perhaps tor functions in a different manner, but my understanding is that bots scan ports and user "pi" with password "raspberry" is very common. So it's stressed to remove "pi" before going online. I'm not sure if I was online for 3 days downloading with open ports over clearnet with a common user/pass. For that matter I'm not sure if "pi" is required for the install to work properly.   

Interesting... there certainly isn't a "pi" user on Umbrel... I didn't notice if my Raspiblitz install had it, I didn't think to look to be honest... might be worth creating an issue on the raspiblitz github if the raspiblitz sdcard image is created with that default user enabled.

[nortwood]

I ended up setting up pfsense with a vlan for the node. I like the idea of having it sectioned away from the rest of my local network. Especially the iot. Likely will add a miner to same vlan unless it's wiser to keep them separate. Any insight into rule sets with nodes are welcomed.

The node runs on tor, and churns away with all ports blocked. But I've been having issues with mempool. It won't load properly. It connects and disconnects over and over. I've updated npm issues to the point of "breaking chain" errors that I enabled. At which point I got a 502 error and mempool wouldn't load. Uninstalled, re-installed, and have only cleared npm issues handled automatically. So, I'm back to where I started with mempool stuck in a connect/disconnect loop. This isn't a port issue, correct?    

Surprisingly, last night I restricted the vlans connectivity to pings and dns with no other local or internet access and somehow the node was still running with connections in the morning. Nothing else had connectivity. I'm not sure if they were connections that had been made prior to my change, or? My tor browser didn't have internet access on the same network. Is this some ninja mode of running this, or where those connections previously made?

If you have security concern, change the password and configure SSH only to accept login attempt with SSH key.

I'm trying to do this but I'm having difficulties with the sshd_config file. I can't seem to disable password access. I did this one something else but I don't think the whole file was #disabled/default like this one seems to be. Perhaps others could benefit from learning best practices with this file. Or perhaps someone might just tell me at least what I'm doing wrong. So far I've enabled these things in the file:

Code:

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin prohibit-password yes
StrictModes yes
MaxAuthTries 10
#MaxSessions 10

PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile      .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
#HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

(Edited to add that I'm a dumbass. These settings work. I was thinking this feature wouldn't allow me to connect to the node at all without the keys. I was checking by seeing if I could get to the first prompt, which I could. But I wasn't trying to use the password to actually log in.  )

[nortwood]

I would really like to know best practices for the firewall. I'm not sure what I can block.

TCP     Attempted Information Leak     DESTINATION 51.75.78.103:80        ET POLICY curl User-Agent Outbound

Every 10-15 seconds.

I've been looking these up on everything and most of it seems to be false positives, and that's just lan. This was one of the first things I looked at since it's happening so often. I couldn't find much, except:

Abstract. We show how to exploit side-channels to identify clients with-
out eavesdropping on the communication to the server, and without re-
lying on known, distinguishable traffic patterns. We present different
attacks, utilizing different side-channels, for two scenarios: a fully off-
path attack detecting TCP connections, and an attack detecting Tor
connections by eavesdropping only on the clients.
Our attacks exploit three types of side channels: globally-incrementing IP
identifiers, used by some operating systems, e.g., in Windows; packet pro-
cessing delays, which depend on TCP state; and bogus-congestion events,
causing impact on TCP’s throughput (via TCP’s congestion control
mechanism). Our attacks can (optionally) also benefit from sequential
port allocation, e.g., deployed in Windows and Linux. The attacks are
practical - we present results of experiments for all attacks in different
network environments and scenarios. We also present countermeasures
for these attacks

https://www.researchgate.net/publication/253954669_Spying_in_the_Dark_TCP_and_Tor_Traffic_Analysis

It's an older paper so nothing new, but it's creepy seeing it in real time. I looked back at my firewall and saw that the ports I'm sending from are sequential, to the same ip listed above over and over. So I'm sending out http packets from sequential ports every 10-15 seconds. Surely this isn't right. It doesn't look like the other traffic.

The flaw that we identify is that a blind adversary is able to cause a TCP recipient an involuntary
reaction by sending arbitrary (spoofed) packets. We propose keeping a small
window of acceptable sequence numbers that may be processed. This window
resembles the receiver’s congestion window, but is more aggressive: while packets
outside the congestion window cause a duplicate acknowledgment (which we use
in the attacks described in Sections 3-5), packets that specify sequence numbers
outside the acceptable-window are silently discarded. The acceptable-window is
larger than the host’s congestion window and includes it. A congestion window
is usually up to 216 bytes, an acceptable-window that is twice as large, i.e., 217
bytes, will significantly degrade the attacker’s ability to conduct all the attacks
in this paper. Since the sequence number is 32 bits long, the attacker is required
to send ... times the number of packets to conduct similar attacks. How-
ever, this technique requires that the firewall will inspect the sequence numbers
in incoming TCP packets, which increases the packet processing overhead.

Ideally, I'd like to figure out how to block with pfsense rather than suricata. I just blocked that ip/port but I don't think it was the same ip yesterday. Any insights into best practices are appreciated.  

[nortwood]

I'm assuming that this is nothing, but I'm still curious about how the node works.

I added suricata to the vlan for my node. I've disabled the "emerging-tor.rules", and left the rest of the ETOpen and snort rules on. This results in blocking the IP above (associated with an ipv6 test site) as well as a handful of dns servers (that I didn't assign) making ICMP ECHO REPLY requests. When I do this I still seem to make connections with peers, or at least data continues to be transferred, but I can't access the node from my local network. When I disable the block for the ICMP ECHO REPLY requests I can again access my node and see that I still had 10 peer connections.  

So I'm generally just not understanding what is appropriate traffic through the node and what isn't. It's odd to me that the node requires dns servers other than the one I selected for my network.  


Edited to update:

I ran packet capture and can see that my node is sending out an echo request and receiving a reply to/from a dns server every second.

https://tutorials.cyberaces.org/downloads/pdf/Module2/CyberAces_Module2-Networking-Layer3-Part3-Communication.pdf

The above link (basically ICMP 101) seems to suggest to me that I either have a dns issue that I need to resolve between my new router and the node, or my node is being ID'd. But then there's the fact that I'm not familiar with how tor works..

Sorry to spew my thoughts out in real-time but it'll help me to pick up where I left off as I tend to other irons in the fire. It also seems pertinent to the topic at hand.