Any safe way to config RPC when running on TOR?

Hannu

hero member

Activity: 1063

Merit: 502

RIP: S5, A faithful device long time

Quote from: d4n13 on July 12, 2015, 11:54:36 AM

Background, I'm running a full node, but my Orwellian ISP bans peer to peer (even calls it out in the TOS), they have even warned me when they see ports open through my NAT. So to counter my ISP, I'm running bitcoin on TOR. This violates TOS, but they haven't detected my TOR config since I use bridges. I'm configured with -onlynet=onion so a lot of the exit-node threats would be neutralized.

Running bitcoin on TOR works great... but... this has the side effect of binding EXTERNAL traffic to 127.0.0.1. My fear is, that opening up RPC requests with -rpcbind=127.0.0.1 would open me up to the world. Similar to -rpcbind=* (<== bad!!!).

Now on the the one safeguard I have is that TOR only binds specified ports to 127.0.0.1 through their hidden services config.

So if I configure TOR to only bind to 127.0.0.1:8333, then go ahead and open up 127.0.0.1:8332 (locally, not TOR), should I be safe, or would I be foolhardy. This is my hot wallet I'm talking about.

BTW, the reason I'm not binding RPC to a fake addr like 0.0.0.0 is that I need RPC for walletpassphrase commands. I never felt good about issuing those through bitcoin-cli since the argument list is in the clear and viewable by any process or service on my box.

PS.. realize this is kind of a TOR specific question, so I will likely cross post to /r/TOR

You mean something like example ninja stick? Little over 20 dollars. Yep loopback adapter, its slow down littlebit of connection.

goregrind

full member

Activity: 149

Merit: 100

Also 0.0.0.0 is not a fake addr. It stands for ALL addresses available on your server.

gmaxwell

staff

Activity: 4284

Merit: 8808

Tor hidden service support can only connect to the specified ports in the tor configuration.

Additional your RPC is protected by the rpcuser/rpcpassword. The binding restriction is just belt and suspenders because, e.g. sometimes users copy their rpcpassword out of example configurations they find on the internet.

Just don't to anything too crazy-- like copy your rpcpassword off the net or reconfigure tor to allow connections to the rpc port-- and you'll be fine.

onemorexmr

sr. member

Activity: 252

Merit: 251

you could try to add multiple ip's for loopback:
http://askubuntu.com/questions/444124/how-to-add-a-loopback-interface

and bind bitcoin rpc to another one of them.

(i have not tried that and i am not familiar with tor: so please check if it works)

d4n13

full member

Activity: 210

Merit: 104

“Create Your Decentralized Life”

Background, I'm running a full node, but my Orwellian ISP bans peer to peer (even calls it out in the TOS), they have even warned me when they see ports open through my NAT. So to counter my ISP, I'm running bitcoin on TOR. This violates TOS, but they haven't detected my TOR config since I use bridges. I'm configured with -onlynet=onion so a lot of the exit-node threats would be neutralized.

Running bitcoin on TOR works great... but... this has the side effect of binding EXTERNAL traffic to 127.0.0.1. My fear is, that opening up RPC requests with -rpcbind=127.0.0.1 would open me up to the world. Similar to -rpcbind=* (<== bad!!!).

Now on the the one safeguard I have is that TOR only binds specified ports to 127.0.0.1 through their hidden services config.

So if I configure TOR to only bind to 127.0.0.1:8333, then go ahead and open up 127.0.0.1:8332 (locally, not TOR), should I be safe, or would I be foolhardy. This is my hot wallet I'm talking about.

BTW, the reason I'm not binding RPC to a fake addr like 0.0.0.0 is that I need RPC for walletpassphrase commands. I never felt good about issuing those through bitcoin-cli since the argument list is in the clear and viewable by any process or service on my box.

PS.. realize this is kind of a TOR specific question, so I will likely cross post to /r/TOR

Topic: Any safe way to config RPC when running on TOR? (Read 1425 times)