|
neha (OP)
|
 |
July 28, 2014, 06:41:38 AM |
|
Hey Guys, Can anyone tell me if its possible to hack a server with all incoming ports closed?
Also, does bitcoind require any incoming ports to be open?
Thanks.
|
|
|
|
|
|
|
|
|
|
|
|
|
"You Asked For Change, We Gave You Coins" -- casascius
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
ThomasCrowne
Full Member
 Offline
Activity: 210
Merit: 100
★☆★ 777Coin - The Exciting Bitco
|
|
July 28, 2014, 07:48:12 AM |
|
bitcoind requires port 8333 (by default) to be open for connecting to other nodes so outgoing TCP connections will need to be allowed for syncing with the blockchain. Other than that I believe you can close down all the other ports if your not planning on using bitcoin-json-rpc at all.
Only granting exclusive access to a database of whitelisted IP-addresses is always a great way to lock things down.
|
|
|
|
|
neha (OP)
|
|
July 28, 2014, 09:57:05 AM |
|
We have all the incoming ports closed and the bitcoind is still working and we are able to transmit transactions(in testnet). Thus, we want to be sure if we do keep the incoming ports closed, then will it create any problems?
Also, for our application we dont require any ports open. Please advise.
|
|
|
|
bitjoint
Sr. Member
Offline
Activity: 333
Merit: 250
Commander of the Hodl Legions
|
|
July 28, 2014, 10:15:15 AM |
|
What is the rest of your stack? do you have app servers? web servers? The best thing you can do is put your bitcoind server in an AWS VPC or similar... As for "hackable", everything is hackable... you can put smart barriers so the "thieves" desist tho. But definitely there's nothing like a 100% secure system. |
|
|
|
|
|
neha (OP)
|
|
July 28, 2014, 11:13:13 AM |
|
So that's what I am asking, other than closing ALL the incoming ports, what else can be done to prevent hacking? Anything?
|
|
|
|
|
bitsmichel
|
|
July 28, 2014, 03:44:22 PM |
|
So that's what I am asking, other than closing ALL the incoming ports, what else can be done to prevent hacking? Anything?
Look for which software stack you are running, look for exploits for your system, if there are updates - install them. Install a firewall, iptables or something along those lines - monitor every request to your system, FreeBSD style  |
|
|
|
|
neha (OP)
|
|
July 28, 2014, 04:42:41 PM |
|
Thats the point. As we have all the ports closed, we really cant figure out what else to do. You specify rules when you have some incoming ports open, but with all the ports closed, we would like some sort of advice. We will be getting a pen testing done next week but we wanted to do whatever we can by then to ensure we can pass. Any advice would be appreciated. We are running jboss, bitcoind, armory and mysql on the server with no requirement for any incoming port.
Thanks.
|
|
|
|
|
bitsmichel
|
|
July 28, 2014, 04:58:13 PM |
|
Thats the point. As we have all the ports closed, we really cant figure out what else to do. You specify rules when you have some incoming ports open, but with all the ports closed, we would like some sort of advice. We will be getting a pen testing done next week but we wanted to do whatever we can by then to ensure we can pass. Any advice would be appreciated. We are running jboss, bitcoind, armory and mysql on the server with no requirement for any incoming port.
Thanks.
With all ports closed, there's no much attacking the machine - it has to be connected to the network or at least a router. An attacker could potentially get access to the router and do some packet sniffing, i.e. a MITM attack - not sure if they'd get anything from that in this case though. |
|
|
|
|
neha (OP)
|
|
July 28, 2014, 05:17:20 PM |
|
Yeah...thats what I was thinking but all the traffic is SSL routed other than the Bitcoin blockchains. Moreover, I dont even think people using the service in future will be even able to determine the ip address of the main server but again, we want to be sure. Anyways, please let me know if anyone can think of anything.
We will be announcing the service soon now after we get the result of pen testing and will open it to a few testers. Thanks everyone.
|
|
|
|
CreationLayer
Member
Offline
Activity: 101
Merit: 10
|
|
July 28, 2014, 11:59:21 PM |
|
neha,
What you can do is have a forward facing server, that is connected to the outside for the port you need to receive the blockchain.
Then you have your second server connected via vpn on a non-public ip, 10.0.0.1 then route connections through the outside server.
This is one way to reduce risk.
|
|
|
|
|
neha (OP)
|
|
July 29, 2014, 06:42:34 AM |
|
neha,
What you can do is have a forward facing server, that is connected to the outside for the port you need to receive the blockchain.
Then you have your second server connected via vpn on a non-public ip, 10.0.0.1 then route connections through the outside server.
This is one way to reduce risk.
Yes thats a possibility but I guess we are not that worried about the blockchain connections as they dont pose any risk and moreover its better that our node connects to multiple different nodes. But thanks for your input. |
|
|
|
rz20
Legendary
Offline
Activity: 1330
Merit: 1001
|
|
July 30, 2014, 08:46:32 PM |
|
Allow bitcoind only to one ip address.
|
|
|
|
|
botticelli
Newbie
Offline
Activity: 32
Merit: 0
|
|
August 03, 2014, 08:29:13 PM |
|
Hey Guys, Can anyone tell me if its possible to hack a server with all incoming ports closed?
Keep in mind, that there is more in the world of networks besides TCP+UDP, for example ARP, ICMP, DHCP, ... They don't run over IP, so they don't care about your IP-port-related settings. In addition: Your machine IS talking to the outside. And you say that you are relying on SSL to provide confidentiality, integrity and authenticity. Is your SSL-library bullet-proof? Can you trust your domain name resolution? Are you validating SSL certificates at all? How secure is your certificate verification mechanism? When did you update that system and fetched the latest certificates and do you know, that they really were not tampered? And what about physical access to the machine? Is it a virtual machine? How secure is the host? Is it hosted by a different company? What about their access-restrictions for administration purposes? And don't limit the meaning of "hacking". Think of an attack that can crash your whole system, or block it due to DoS-attacks. Everything "hurts", what makes your business lose money. ... |
|
|
|
|
bluefirecorp
Legendary
Offline
Activity: 882
Merit: 1000
|
|
August 04, 2014, 03:54:40 PM |
|
It's possible to hack any server. Even servers without internet accessing. Jumping the air gap has been done before and will be done again.
|
|
|
|
Brewins
Legendary
Offline
Activity: 1120
Merit: 1000
|
|
August 04, 2014, 04:20:24 PM |
|
1 - Hire the impossible mission squad to get physical acess to your server. Or just a ISP guy that appears to solve a malfuction in your internet connection.
2 - Go below the network layer.
|
|
|
|
|
|
ensurance982
|
|
August 04, 2014, 04:37:42 PM |
|
I guess it depends on what you want to achieve and what is actually running on that server. If it turns out that the server runs something that allows you to execute Turing complete stuff, preferably as root... Well, then you've hacked it I guess.
|
We Support Currencies: BTC, LTC, USD, EUR, GBP
|
|
|
|
cp1
|
|
August 04, 2014, 04:42:58 PM |
|
If you're securing more than $1000 you should get a real security person, not rely on free advice from the off-topic forum.
|
|
|
|
|
