Close bitcoind for incoming connections

[Yzord]

I have setup an Electrum server and i am now downloading the btc blockchain. The tutorial of Electrum tells me it is better to "close bitcoind for incoming connections".

I am not that good with iptables, so is there anyone who can offer me the string to put in iptables for closing bitcoind for incoming connections?

[1715424622]

1715424622

[1715424622]

1715424622

[1715424622]

1715424622

[Newar]

If you have never opened it, consider it closed. Check here for port 8333 and your external IP (whatismyip.com): http://www.yougetsignal.com/tools/open-ports/

Does it say why they recommend that?

[Yzord]

Yeah, for security issues

To increase security you may want to close bitcoind for incoming connections and connect outbound only

And port 8333 is open i have installed UFW, so is doing "sudo ufw deny 8333" enough? I don't want to lose my ssh login

[Newar]

I would do:

ufw status numbered

look at the number of the rule for port 8333, say it's x

then

ufw delete x


Check http://man.he.net/man8/ufw


Edit: If it says it's open and you're server is "at home", check your router config as well and close it there too.

[Yzord]

It says:

bitcoin@electrum:~$ sudo ufw status numbered
Status: inactive

I need to enable it, but i'm afraid i lose my ssh so i can't get in anymore i do have set ufw allow 22 though

[Newar]

[...]

I need to enable it, but i'm afraid i lose my ssh so i can't get in anymore i do have set ufw allow 22 though

Hm, no wonder everything is open then, unless you set the rules somewhere else.

You can do

ufw --dry-run enable

to see what "would" happen.

Is this on a VPS? Does it offer a "serial console" for recovery? (You would see this option on your config panel (if any)).

[Yzord]

Yeah, my VPS control panel shows a console...i mean, i can send commands, but it does not show a terminal or something. But when i fill in "top" i get:

Return code: 1
Output:
top: failed tty get

So it would get excited to run it haha. i do have put

ufw allow proto tcp from any to any port 22

into ufw

Shall i just do it? The btc blockchain is still downloading though...hopefully i won't fuck it up

[Newar]

It wouldn't affect your download much.

You can run ufw commands with "--dry-run" to see what "would" happen.

Just passing a rule won't make it active yet. At one point you will have to run "ufw enable" to make your rules work.

Again, check http://man.he.net/man8/ufw

[Yzord]

Ok, that didn't worked well. I started ufw and my ssh connection got closed and also blocked. Could stop ufw from the console in VPS control panel though.

Looks like it is not accepting pre pushed rules or something.

Now i get this when i restart:

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init
modprobe: ERROR: ../libkmod/libkmod.c:507 kmod_lookup_alias_from_builtin_file() could not open builtin file '/lib/modules/2.6.32-042stab094.7/modules.builtin.bin'
modprobe: FATAL: Module nf_conntrack_ftp not found.
modprobe: ERROR: ../libkmod/libkmod.c:507 kmod_lookup_alias_from_builtin_file() could not open builtin file '/lib/modules/2.6.32-042stab094.7/modules.builtin.bin'
modprobe: FATAL: Module nf_nat_ftp not found.
modprobe: ERROR: ../libkmod/libkmod.c:507 kmod_lookup_alias_from_builtin_file() could not open builtin file '/lib/modules/2.6.32-042stab094.7/modules.builtin.bin'
modprobe: FATAL: Module nf_conntrack_netbios_ns not found.
iptables-restore: line 4 failed
iptables-restore: line 77 failed
iptables-restore: line 38 failed
ip6tables-restore: line 4 failed
ip6tables-restore: line 73 failed
ip6tables-restore: line 38 failed
sysctl: permission denied on key 'net.ipv4.tcp_sack'

Problem running '/etc/ufw/before.rules'
Problem running '/lib/ufw/user.rules'
Problem running '/etc/ufw/before6.rules'
Problem running '/lib/ufw/user6.rules

grr

[Newar]

What VPS provider?

Can you check if any other ports are open? For example 8335 or 45944.

If that's the case it means your whole VPS is open to intruders. Ask your VPS provider how to go about that. There should be a way to define your own FW rules.

Did you install ufw or was it already there?

[Yzord]

According to online port scanner 22 & 25 are open, the rest are closed, so i guess it is fully open, but no daemons running.

i installed ufw myself on a minimal Ubuntu version

[Newar]

Which Ubuntu? I had issues one time with 12.04 and ufw.

Can you list your iptables rules? I.e.:

sudo iptables -L


Reference: https://help.ubuntu.com/community/IptablesHowTo

[Yzord]

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-input  all  --  anywhere             anywhere           
ufw-before-input  all  --  anywhere             anywhere           
ufw-after-input  all  --  anywhere             anywhere           
ufw-after-logging-input  all  --  anywhere             anywhere           
ufw-reject-input  all  --  anywhere             anywhere           
ufw-track-input  all  --  anywhere             anywhere           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  anywhere             anywhere           
ufw-before-forward  all  --  anywhere             anywhere           
ufw-after-forward  all  --  anywhere             anywhere           
ufw-after-logging-forward  all  --  anywhere             anywhere           
ufw-reject-forward  all  --  anywhere             anywhere           
ufw-track-forward  all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  anywhere             anywhere           
ufw-before-output  all  --  anywhere             anywhere           
ufw-after-output  all  --  anywhere             anywhere           
ufw-after-logging-output  all  --  anywhere             anywhere           
ufw-reject-output  all  --  anywhere             anywhere           
ufw-track-output  all  --  anywhere             anywhere           

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-track-forward (1 references)
target     prot opt source               destination         

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination

Those are my rules...not much lol. It is Ubuntu 14.04 64bits.

[Yzord]

Strange:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 8333                       DENY IN     Anywhere
[ 2] 22                         ALLOW IN    Anywhere
[ 3] 22/tcp                     ALLOW IN    Anywhere
[ 4] 8333 (v6)                  DENY IN     Anywhere (v6)
[ 5] 22 (v6)                    ALLOW IN    Anywhere (v6)
[ 6] 22/tcp (v6)                ALLOW IN    Anywhere (v6)

But i still can't get in with ssh. While port seems to be open. Perhaps the hardware node is blocking it, but i installed openvpn on this server once before and that worked.

[zvs]

I have setup an Electrum server and i am now downloading the btc blockchain. The tutorial of Electrum tells me it is better to "close bitcoind for incoming connections".

I am not that good with iptables, so is there anyone who can offer me the string to put in iptables for closing bitcoind for incoming connections?

well, you could just set listen=0 in the bitcoin.conf file.

i'd say you should change your ssh port, but I guess it doesn't matter if you don't mind log spam...  have you checked /etc/ssh/sshd_config?  maybe it isn't listening on port 22

netfilter is an iptables dependency, that should have the conntrack modules.   boggle.

[Yzord]

Thanks!