Topic: Looking for advice on a full node (Read 451 times)

I'm assuming that this is nothing, but I'm still curious about how the node works.

I added suricata to the vlan for my node. I've disabled the "emerging-tor.rules", and left the rest of the ETOpen and snort rules on. This results in blocking the IP above (associated with an ipv6 test site) as well as a handful of dns servers (that I didn't assign) making ICMP ECHO REPLY requests. When I do this I still seem to make connections with peers, or at least data continues to be transferred, but I can't access the node from my local network. When I disable the block for the ICMP ECHO REPLY requests I can again access my node and see that I still had 10 peer connections.  

So I'm generally just not understanding what is appropriate traffic through the node and what isn't. It's odd to me that the node requires dns servers other than the one I selected for my network.  


Edited to update:

I ran packet capture and can see that my node is sending out an echo request and receiving a reply to/from a dns server every second.

https://tutorials.cyberaces.org/downloads/pdf/Module2/CyberAces_Module2-Networking-Layer3-Part3-Communication.pdf

The above link (basically ICMP 101) seems to suggest to me that I either have a dns issue that I need to resolve between my new router and the node, or my node is being ID'd. But then there's the fact that I'm not familiar with how tor works..

Sorry to spew my thoughts out in real-time but it'll help me to pick up where I left off as I tend to other irons in the fire. It also seems pertinent to the topic at hand.       

I would really like to know best practices for the firewall. I'm not sure what I can block.


Every 10-15 seconds.

I've been looking these up on everything and most of it seems to be false positives, and that's just lan. This was one of the first things I looked at since it's happening so often. I couldn't find much, except:


https://www.researchgate.net/publication/253954669_Spying_in_the_Dark_TCP_and_Tor_Traffic_Analysis

It's an older paper so nothing new, but it's creepy seeing it in real time. I looked back at my firewall and saw that the ports I'm sending from are sequential, to the same ip listed above over and over. So I'm sending out http packets from sequential ports every 10-15 seconds. Surely this isn't right. It doesn't look like the other traffic.


Ideally, I'd like to figure out how to block with pfsense rather than suricata. I just blocked that ip/port but I don't think it was the same ip yesterday. Any insights into best practices are appreciated.  

I ended up setting up pfsense with a vlan for the node. I like the idea of having it sectioned away from the rest of my local network. Especially the iot. Likely will add a miner to same vlan unless it's wiser to keep them separate. Any insight into rule sets with nodes are welcomed.

The node runs on tor, and churns away with all ports blocked. But I've been having issues with mempool. It won't load properly. It connects and disconnects over and over. I've updated npm issues to the point of "breaking chain" errors that I enabled. At which point I got a 502 error and mempool wouldn't load. Uninstalled, re-installed, and have only cleared npm issues handled automatically. So, I'm back to where I started with mempool stuck in a connect/disconnect loop. This isn't a port issue, correct?    

Surprisingly, last night I restricted the vlans connectivity to pings and dns with no other local or internet access and somehow the node was still running with connections in the morning. Nothing else had connectivity. I'm not sure if they were connections that had been made prior to my change, or? My tor browser didn't have internet access on the same network. Is this some ninja mode of running this, or where those connections previously made?



I'm trying to do this but I'm having difficulties with the sshd_config file. I can't seem to disable password access. I did this one something else but I don't think the whole file was #disabled/default like this one seems to be. Perhaps others could benefit from learning best practices with this file. Or perhaps someone might just tell me at least what I'm doing wrong. So far I've enabled these things in the file:



(Edited to add that I'm a dumbass. These settings work. I was thinking this feature wouldn't allow me to connect to the node at all without the keys. I was checking by seeing if I could get to the first prompt, which I could. But I wasn't trying to use the password to actually log in.  )

Oh ok... yeah the graph data not being available makes sense because that is data that the service is recording live based on mempool activity that it is observing... it's not information that can be derived from the historical blockchain data.

So, if the service wasn't running, it obviously can't observe that data

Not sure about the address history being missing tho, that seems like the node hasn't finished indexing properly or something... or that the data is pruned for some reason.

By default, I don't think Raspiblitz has txindex=1 set and you have to explicitly turn that on in the settings.

On Umbrel, it seems like mempool and btc-rpc-explorer are actually setup to use the underlying electrum server (ie. electrs) to retrieve address information. I'm not sure if RaspiBlitz operates the same way.


Interesting... there certainly isn't a "pi" user on Umbrel... I didn't notice if my Raspiblitz install had it, I didn't think to look to be honest... might be worth creating an issue on the raspiblitz github if the raspiblitz sdcard image is created with that default user enabled.

The graph only goes back to the date I installed it and when I looked up some donation addresses it only showed the current balance without the coin history that the website does. 

I have electr, specter, btcpayserver, joinmarket, sphynx, RTL, and mempool all running and it's not bad depending on my tor connection. It's just a bit doggish loading mempool. Apparently I misspoke and it was btcrpcexplorer that I had the most issues with and uninstalled. I couldn't clear all of the npm issues.

   

Yes, it's one of the first things stressed that one should do during other RPi installs. Particularly if you're online with open ports. Perhaps tor functions in a different manner, but my understanding is that bots scan ports and user "pi" with password "raspberry" is very common. So it's stressed to remove "pi" before going online. I'm not sure if I was online for 3 days downloading with open ports over clearnet with a common user/pass. For that matter I'm not sure if "pi" is required for the install to work properly.   

All that is doing is allowing RPC connections from the local machine... I can't really comment as to whether or not its "safe to proceed" as I'm not sure what the rest of your setup is doing.

I gave up on RaspiBolt very early on, and when straight to RaspiBlitz... it seems to take care of most of that setup automagically... with the downside being that running other things like your RaspAP might not be possible etc.


What is missing compared with mempool.space? It seemed pretty similar to me... although I can't really check now, because I deleted RaspiBlitz and installed Umbrel to check that out. The version on Umbrel seems pretty complete (it just doesn't have other chains available for obvious reasons) although it is a slightly older version 2.1.2 on Umbrel vs 2.2.1-dev on mempool.space

I haven't really noticed much in the way of performance issues... but then I didn't really test it much... and don't really have a baseline to compare to (ie. I haven't just setup an OS with bare bitcoind and lnd etc.


I'm not sure what you mean by "pi" not being deleted? Do you mean there is a "pi" user account or something? Again, I can't check because as mentioned above, I deleted RaspiBlitz and installed Umbrel... it doesn't have a "pi" user.

Should we be running v0.21.1? It calls it experimental in Raspiblitz.

I recently setup a headless raspiblitz running on a naked RPi4 8gb as well. I've got a passive aluminum case (which I like more than the fans) but haven't disconnected it yet. I have had some performance issues. Ultimately uninstalled mempool. The RPi was doggish and the mempool didn't provide as much info as mempool.space. I guess I had just assumed it would have everything.   

A question that I have is whether it downloads the blockchain via tor by default. In the guides I saw that there was an option during initial setup, but I didn't see it. I read that they switched to tor by default for the node itself, and I would hope that would mean from initial blockchain download forward but I'm uncertain. Anyone have any ideas?

Also, I'm surprised that "pi" wasn't deleted and I wonder how secure that is. That seems less than ideal based on what I've read from installing other instances on RPi's. But I'm not technically advanced enough to know for sure if that's just less of an issue with tor, assuming it was during download.

So far I haven't actually used it other than to just play around and learn. I'm not sure that I trust it in it's current configuration, and for sure want to at least isolate it on my network first. Especially after learning how few are online and that there might be other vulnerabilities like the "spying nodes" referenced in another thread that I've yet to fully elucidate.   

Thanks for sharing! Just want to make sure the number on the left side of "free mem xx / xx" is the free RAM you got right?
I'm planning to run other apps on pi, I guess maybe it should be safe then.

xd , My pi runs exactly the same as you. Barebone on top of the package box with a tangled-up cable.

---

Anyway, the IBD is still ongoing but when I run
It returned with http error 403.

My Pi run using Raspap on AP-STA mode + Nextcloud. And I use default Raspibolt bitcoin.conf but I haven't set up the ufw firewall on the Raspibolt security step.

debug.log

Been checking around with my network configuration, but still couldn't figure it out. Until I set the bitcoin.conf with rpcallowip=127.0.0.1/0, and it is workings fine. By setting up that conf, would it fix the the actual problems and its safe to procced?

Seems like you have a good process for getting the blocks/chainstate all sorted via the PC and then migrated back over to the Pi. Nice.



It "idles" away OK:


Idle == just syncing new blocks with electrs + block explorer working away in the background


If I attempt to sync an Electrum wallet with a modest amount of transactions:


It drives the load up a little... increases the memory usage slightly and the temps jump (because I don't have any heatsinks/fans or anything on the Pi at the moment, it's just the bare board sitting on the cardboard box that it came in )


And this is with Electrum syncing + mempool.space + btc explorer open in the browser on my laptop:



So it hums along "OK"... honestly, the most taxing thing so far was the electrum server indexing...

---

On a side note... because I hate myself and can't just leave well enough alone... I'm thinking of blowing it all away and trying out Umbrel. Just so I can see what that is like

Apparently you can also copy across the data from another node, it's just a slightly more manual process: https://github.com/getumbrel/umbrel-os/issues/119

I'll report back once that is done.

@HCP
I'm following the Raspibolt tutorial. I was successfully reindexed on my PC, and its all works fine when i move the HDD back to pi. Though there are some permission issues, so I just changed it back to bitcoin:bitcoin without a problem.

My HDD contained the whole Pi os and the bitcoin data. I just connect it to my pc running Arch, then I just symlink the bitcoin folder to my home bitcoin user. Run the reindex on plain bitcoind with some configuration, it's indeed going faster. When I move it back to pi there are some file permissions are changed to root, but I just chown it back to bitcoin:bitcoin. Upon starting again on the pi, its works.

Yea I use the official power adapter. And yep, AFAIK hdd is a more prone error from power failure, so I rather use the official one.

Thanks anyway! 

How's your pi perform when running all of that? I mean like the ram usage and the CPU Usage

Yeah, using an HDD for the IBD is going to be very slow on the Pi... it's already processor limited, and you're just knee-capping it further using the HDD.

I setup Raspiblitz using a Pi 4B 8GB with an HDD... but I used the "copy" option that it has to transfer the data from my desktop to the Pi HDD. My first attempt I used WiFi (which was incredibly slow) and I didn't copy the "indexes" folder, only the "blocks" and "chainstate" folders as per the RaspiBlitz install instructions.

This was a huge mistake as using some of the other features of RaspiBlitz like electrs (Electrum Server) or the block explorers requires txindex=1... so then I had to wait for the node to complete the transaction indexing... which took something like 24 hrs to index 75%... but I suspect some of the slowdown might have been because I tried to enable several of the extra services at the same time so electrs was creating it's database while bitcoind was txindexing etc.

I eventually had the bright idea of copying the txindex from my desktop as well... so, I wiped the Pi... and this time copied "blocks", "chainstate" and "indexes" from my desktop node datadir (making sure the node was not running of course):

I also used an ethernet cable... which improved the transfer speed by a factor of around 10 (ie. it was taking 2 seconds to transfer a 130GB block file instead of around 18-20 seconds).

So after a couple of hours copying the blockdata, I had bitcoind/lnd up and running... I then installed the mempool/btc-explorer services on the RaspiBlitz and was able to use the block explorer functionality immediately as the node was already indexed.

I then installed the electrs service and it took a few hours to create it's database... and then an hour or so more to compact the database... and now everything is running fairly smoothly.

So, after about a full 24 hours, I have my own personal Bitcoin/LND Node + Electrum Server + Block explorer... and it's all running behind Tor.

I'm actually pretty impressed with RaspiBlitz.


Are you running plain bitcoind on the Pi or are you attempting to use something like RaspiBolt/RaspiBlitz/MyNode?

If you're using plain bitcoind, you should be able to copy the data without issue. Just make sure that your desktop node is stopped first, then copy the data. You will need to copy "blocks" and "chainstate" (and "indexes" if your desktop is set to use txindex=1 and you also want the Pi to do the same) from the desktop node datadir.


There isn't really much you can do... even on a desktop, or Windows... an unclean shutdown can corrupt data. Usually, this should only affect the last block file, so a reindex (while time consuming) should fix it.

Are you using an "official" Pi powersupply? Or just a generic USB adapter? The Pi's can be quite power sensitive and an external HDD will require more power than an external SSD... using a generic USB adapter might be causing power delivery issues.

I got an official power supply... it was like US$8 from my local Pi stockist. I've not had any issues as yet (touch wood)... it seems pretty solid.

I tried to run a full node on pi 4 8GB, and the initial blockchain download is really a pain in the neck, especially that i use HDD. It's a bad decision that I made to use HDD.

Recently, I got power failures on the pi, which made the blockchain data corrupt,  I had to run -reindex-chainstate on it but I guess I got the CPU throttled. So, I tried to reindex it on my PC, I use the permission bitcoin:bitcoin as it the same on pi. Latter if I move it back to pi it shouldn't be a problem, right?

Also, is there any chance to prevent the data from corrupted if it got unclean/forcefully shut down? Is the thing on the Linux OS/file system side or there should be some way on the bitcoin node that able to make the data safe even if it is got unclean shutdown?

Indeed... it seems that the information I was looking at is slightly outdated... I had read that using it headless required creating your own sdcard image. However, further investigation shows that you can use the default image and set it all up headless without issue. There is a fairly comprehensive guide here: https://armantheparman.com/raspiblitz/

And he even shows how to go headless AND use WiFi, if ethernet is not suitable: https://armantheparman.com/headless-wifi/


Meanwhile, I'm off to the store to buy a more reliable power supply for my Pi

The touchscreen for RaspiBlitz is totally optional, you can run RaspiBlitz headless without any issues. I run RaspiBlitz without touchscreen on a Pi 4B with 8GB RAM and currently have only an issue to activate the add-on JoinMarket which runs into an error I couldn't sort out so far with RaspiBlitz v1.7.0 (actively running bitcoind, LND, electrs, RTL, BTC-RPC-Explorer, TOR).

There isn't a definitive Blitz vs Bolt list that I have seen anywhere... I dare say that Blitz includes a number of "add-ons" or extra features that Bolt doesn't like the "stacking sats on kraken" script etc.

Bolt is definitely the bare-bones DIY solution... Blitz is a bit more polished and somewhat "automated", imo

You can verify any update yourself because everything is open source and posted on their github page:
https://github.com/getumbrel/umbrel/releases

If I have a free weekend I might actually enjoy setting all of it up manually :-) Do you know which services are available on the blitz but not on the bolt?

I read that it's not as secure because for example updates aren't signed, although I don't know if that's also the case with the other nodes

Umbrel is probably one of the easiest option for setting up Bitcoin node I ever saw, everything is open source and Lightning Network is fully supported, but you won't do anything wrong if you choose something else like myNode or Raspiblitz.