Well, so...
Instead of writing "the guide" as a self-confident expert would, I will write down what I did, what I think about that and ask others to comment on what they think about it.
This way I hope we can put something together which is even better than a guide from a single self-claimed expert (e.g. put the knowledge of the whole community together).
I already had a working Gentoo linux running on my main mining rig.
The distro doesn't really matter but I think the Gentoo handbooks are really good (there is also a dedicated security handbook). They go relatively deep into the bushes (compared to an Ubuntu guide) while you can still brake everything down to simple "1 bit noob" user tasks by following them line by line (and might learn some things about the whole system on the road).
I configured the kernel to be as thin as it can be and only installed packages I know I need (or come as minimal requirements of some other packages).
Everything comes from the default stable branch, except the kernel (fresh ck-sources from ckolivas instead of the slightly older default "stable" gentoo-sources) and the proprietary closed-source fglrx (AMD) driver.
-> If you have never done it before, it will take a lot of time to install and configure Gentoo. But I guess most people will settle down with a simple off-the-shelf Ubuntu anyway.
I also already had a fresh OpenWRT distro on my router.
I regularly compile it for myself from the git sources. I also try to keep this as thin as possible (I only compile and install the required packages).
I configured the OpenWRT firewall to drop every incoming connections and don't forward any ports I don't know that I need. This firewall also has a simple SYN-flood protection and can filter invalid packets. (But, of course, it won't really protect me from DDoS attacks.)
Also, the router doesn't respond to ssh connections from the WAN interface, it only communicates on the LAN and it has a relatively strong password (12+ characters).
-> Not every routers support open-source firmwares, even less supports OpenWRT (and I don't even say OpenWRT is the best open-source firmware).
I think Evan's guide is thorough enough about what you need to do with the DarkCoin daemon. But it's easy to make it more friendly with screenshots.
And this is how I secured my wallet (at least for now):
I freshly created an Ubuntu Live installer from an ISO on a USB flash drive and also placed the darkcoind binary on it,
unplugged the machine from the network and and booted it from the flash drive.
started darkcoind, asked it to give a new address for user 0 as Evan's guide instructs you.
encrypted the wallet with a really strong password.
stopped the wallet daemon and made an md5sum of the wallet.dat before I copied it to the flash drive.
shut this machine down.
I copied the wallet.dat to the masternode server (as well as a third and fourth location as backups) and checked the md5sum again.
I started darkcoind as Evan's masternode guide instructs.
The problem is that darkcoind won't save more than a few hundreds of keys into the wallet.dat, no matter how big keypool I ask for (it does generate all the 10000 or more keys into the thin air but saves only ~500 initially and only ~200 new after it flushes those original 500 unencrypted keys when you later encrypt the file) and I figure DarkSend will eat the keys from the keypool like a crazy addict, and thus you will either need to periodically input your password on the online server (risking your coins if somebody hacked it, even more if you do it automatically and thus you keep the password on the online machine) or copy the wallet.dat to a flash drive, refill it's keypool on an offline computer and copy it back (while your masternode is offline).
I think this could be easily solved by "fixing" darkcoind to save as many keys to the wallet.dat as you ask it to generate (and also keep this originally requested number after a keypool flush during the wallet.dat encryption).
I am sure a real security export would scream into my face over this setup.
But again, I never said you can't hack my server, or kill it with a DDoS attack. I just said you won't steal my coins (at least not without physical interaction).
Unless... -> No, I won't give you ideas.
By the way, I only intend to use my own home server and internet connection for testing purposes.
When (and if) DarkSend becomes popular and start to consume some real bandwidth I plan to move it to a VPN server (or even a dedicated server, I will see which one fits the real-world requirements then).
