Bitcoin Forum
November 12, 2024, 06:22:08 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Hosted bitcoind services  (Read 684 times)
TechnoBibble (OP)
Member
**
Offline Offline

Activity: 179
Merit: 10


View Profile
January 01, 2015, 02:14:31 AM
 #1

Hi,

I was looking for some information and some solutions to hurdles I might face for my idea.

What I would like to offer

I would like to offer a hosted bitcoin daemon

Why

I see lots of people wanting to run scripts that require bitcoind on shared hosting but are unable to run the daemon themselves. I have a 4tb Dedicated Server I could host this on.

So, My Idea

User logs on to my website, sets up a daemon, with customised RPC username/pass, SSH Account with custom username/pass and customised RPC/P2P Ports they also have full access to edit their own bitcoin.conf and view their own "datadir". This will obviously cost a small fee (on a monthly basis), once confirmed I can get the scripts to setup the daemon, ssh user and send the information to the user via email.

However, I have already thought of some hurdles I will face.

1) As root, I would be able to "su" onto all these accounts, I don't want to be able to do this, I want to run a legitimate service, Is there any way I can stop this? I don't want people accusing me of stealing their bitcoins etc

2) Logging, I want to keep a log of what every SSH user does, a full audit log if you will to check if their are any accusations of stolen coins etc.

3) If the above is possible and I catch someone, How would I enforce it.

4) Is this just too much of a headache to even contemplate?

5) anything else I may face?

At the end of the day, I want users to trust my service and trust that I have all security measures taken care off

Thanks for any help you may provide.
cloverme
Legendary
*
Offline Offline

Activity: 1512
Merit: 1057


SpacePirate.io


View Profile WWW
January 01, 2015, 04:16:34 AM
 #2

I had a similar idea of doing this as well, there were several projects I was working on and getting a copy of a blockchain up and running quickly was a pain.

I'd actually recommend dedicated systems rather than 1 dedicated system. That might be more expense than you were willing to try it for. You might want to consider offshore dedicated hosting which is inexpensive, but you'll have to pass that cost onto your customer if they are willing to pay for it. If you run too many daemons on your box, your disk I/O will slow down to a crawl, the blockchains are horrible at I/O efficiency.  Consider using a storage system that uses data dedupe as well as SSD caching, like a NetApp. An alternative would just be to use all SSD storage.
 
1 - Customers will have to trust you at certain points, you ultimately own the hardware. Turning over the root pw is about a good as you can get for them. Anything less and people will squawk because you've still got ownership.

2 - Tell your customer to turn on logging, you personally want no responsibility whatsoever, the minute you take on responsibility for something, you own it. Put the onus on the client, if they want logging, then help them do it, otherwise forget it. If someone reports something to you in terms of abuse, then cut your customer off.  Just get a really good terms of service built for yourself. Log everything else, switches, firewalls, ups's etc to a syslog server.

3 - If you get a report of abuse, suspend their access and cut them off if necessary.  Same as if they fail to pay you at some point.

4 - No, but you should be ready for shenanigans and ddos.

5 - You should have a top notch firewall and put yourself behind some DDOS protection. Get your systems scanned by qualys and adopt a security standard, like PCI compliance. Setup monitoring, alerting, and out of band access for yourself too.

 
TechnoBibble (OP)
Member
**
Offline Offline

Activity: 179
Merit: 10


View Profile
January 01, 2015, 01:14:56 PM
 #3

I had a similar idea of doing this as well, there were several projects I was working on and getting a copy of a blockchain up and running quickly was a pain.

I'd actually recommend dedicated systems rather than 1 dedicated system. That might be more expense than you were willing to try it for. You might want to consider offshore dedicated hosting which is inexpensive, but you'll have to pass that cost onto your customer if they are willing to pay for it. If you run too many daemons on your box, your disk I/O will slow down to a crawl, the blockchains are horrible at I/O efficiency.  Consider using a storage system that uses data dedupe as well as SSD caching, like a NetApp. An alternative would just be to use all SSD storage.
 
1 - Customers will have to trust you at certain points, you ultimately own the hardware. Turning over the root pw is about a good as you can get for them. Anything less and people will squawk because you've still got ownership.

2 - Tell your customer to turn on logging, you personally want no responsibility whatsoever, the minute you take on responsibility for something, you own it. Put the onus on the client, if they want logging, then help them do it, otherwise forget it. If someone reports something to you in terms of abuse, then cut your customer off.  Just get a really good terms of service built for yourself. Log everything else, switches, firewalls, ups's etc to a syslog server.

3 - If you get a report of abuse, suspend their access and cut them off if necessary.  Same as if they fail to pay you at some point.

4 - No, but you should be ready for shenanigans and ddos.

5 - You should have a top notch firewall and put yourself behind some DDOS protection. Get your systems scanned by qualys and adopt a security standard, like PCI compliance. Setup monitoring, alerting, and out of band access for yourself too.

 

Thanks Cloverme, Really thorough answer, exactly what I was looking for. Due to working with firewalls on a daily basis for work I actually have a cluster I can use and 2 x Dedicated servers, Maybe I will have to purchase some form of NAS.iSCSI for the IO work, I have DDoS protection and OOB Access (pushkablue).

Good idea about the logging, You are right, It should not be my job to "look after" others peoples bitcoins, in case they set weak password etc, They need to have a level of responsibility themselves. As with any wallet/service you have. I'm sure blockchain.info are able to access my "online wallet" for instance, they do own the hardware.

Thanks again, You have given me a lot to think about.

CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
January 01, 2015, 01:19:48 PM
 #4

I'm sure blockchain.info are able to access my "online wallet" for instance, they do own the hardware.

Although they have had some rather bad recent screw ups, the wallet design itself (assuming no flaw), means that the private keys are encrypted "client-side" via .js (so they cannot steal your funds from having access to the server alone).

You should keep this in mind if you are thinking of providing any sort of "wallet service".

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
TechnoBibble (OP)
Member
**
Offline Offline

Activity: 179
Merit: 10


View Profile
January 01, 2015, 01:29:12 PM
 #5

I'm sure blockchain.info are able to access my "online wallet" for instance, they do own the hardware.

Although they have had some rather bad recent screw ups, the wallet design itself (assuming no flaw), means that the private keys are encrypted "client-side" via .js (so they cannot steal your funds from having access to the server alone).

You should keep this in mind if you are thinking of providing any sort of "wallet service".


Really, That's actually a good idea.

You see, I imagine most people will use it for Gambling Sites/Pools (I need to think about implementing stratum and what effect it will have on the server), Which of course both will hold funds.

I was wondering if there was any Linux feature that I could run that would stop me being able to "su" to peoples accounts without asking for their password, instead of dumping me straight into that user.

If anyone has any bright ideas which could help this venture It would be really helpful.
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
January 01, 2015, 01:35:21 PM
 #6

If anyone has any bright ideas which could help this venture It would be really helpful.

If the private key(s) are encrypted client-side then also tx signing can be done client-side meaning that the server would never be able to actually spend any BTC from any client (the main issue is whether the clients can trust the .js they are running).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
TechnoBibble (OP)
Member
**
Offline Offline

Activity: 179
Merit: 10


View Profile
January 01, 2015, 01:37:22 PM
 #7

If anyone has any bright ideas which could help this venture It would be really helpful.

If the private key(s) are encrypted client-side then also tx signing can be done client-side meaning that the server would never be able to actually spend any BTC from any client (the main issue is whether the clients can trust the .js they are running).


Thanks CIYAM,

Thats really helpful. I will look into tx signing. Thanks for the ideas.
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
January 01, 2015, 01:39:26 PM
 #8

Thats really helpful. I will look into tx signing. Thanks for the ideas.

Most welcome - the ideas are the easy part (it is only in the coding that the blood, sweat and tears will appear). Smiley

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
TechnoBibble (OP)
Member
**
Offline Offline

Activity: 179
Merit: 10


View Profile
January 01, 2015, 01:56:32 PM
 #9

Thats really helpful. I will look into tx signing. Thanks for the ideas.

Most welcome - the ideas are the easy part (it is only in the coding that the blood, sweat and tears will appear). Smiley


 Grin Agreed, It's also where the fun comes into play Wink
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!