Author

Topic: Protect a Wallet on VPS (Read 1105 times)

sr. member
Activity: 430
Merit: 253
VeganAcademy
January 27, 2016, 05:56:27 PM
#12
what? absolutely do not use root to login.. edit sshrd to disallow root logins and su to root if you must from another user, which is the only one which will be permitted ssh access.
staff
Activity: 3458
Merit: 6793
Just writing some code
January 25, 2016, 04:45:19 PM
#11
So I'll sum the things:
  • Add SSH Key
  • Whitelist IP
  • Firewall securities
  • Encrypt Wallet
  • Run Wallet as another user

Am I right?
Sounds good.

Must I create a new user then log into the user and download and install the wallet or before? I'll use an altcoin.
It would be a good idea to do everything related to the wallet as the other user. Only use root to first login to the machine and then set up the limited user account.
legendary
Activity: 1059
Merit: 1020
January 25, 2016, 04:11:17 PM
#10
So I'll sum the things:
  • Add SSH Key
  • Whitelist IP
  • Firewall securities
  • Encrypt Wallet
  • Run Wallet as another user

Am I right?

Must I create a new user then log into the user and download and install the wallet or before? I'll use an altcoin.
sr. member
Activity: 430
Merit: 253
VeganAcademy
January 19, 2016, 04:30:36 PM
#9
none of the public facing services should be run as root, not just the wallet.

ensure you have a good firewall running.

limit access to yourself only when it comes to ssh access.

whitelist is alright but research stuff like fwpnop as a much more secure means to lock down your server.

maybe find a better distro than ubuntu if you can.
hero member
Activity: 840
Merit: 1000
January 19, 2016, 01:55:01 AM
#8
for starters: anything more than an experimental pool/game should be hosted on a dedicated box.... They're not that expensive, mine costs a little over 300€/year...
On a dedicated box, it's a little harder for a tech to access your data. Cheap VPS's usually use OpenVZ, which is basically just a mounted container on the VPS server (a tech can access all containers from the main server).
KVM is a little better, since the virtual disk isn't actually directly accessible for the tech, but on the other hand it's not that hard either...

If you are really serious about a big pool, i'd go for a physical server with at least 2 disks (raid 1, or raid 5 if you have 3 physical disks). I would encrypt the physical disk AND the home directoy of the bitcoin user (the user running bitcoind). Also, chose a provider that offers DDOS protection, or setup your domain behind the payed version of cloudflare (or both).
I'd whitelist certain IP's on the hardware firewall of your provider (if possible), and use iptables for the same purpose...
member
Activity: 70
Merit: 10
January 19, 2016, 01:46:11 AM
#7
Encrypt the wallet. Do not allow anyone else to access the VPS. If you can, you should put an IP whitelist so that only your ip address can access the VPS.

The white list IP is pretty important. But if your computer get's compromised and it's on that IP... can lead to bad things.  If you throw a VPS up it is really a hot wallet as it's connected to internet full time, that does not excite me on wallet.

Is there any reason you have to use a hot wallet?  I guess what is project?

White list IP's? There are ways around that. Slightly time taking, but easily scriptable. If I were facing a server with such a feature, I would create a script to try pinging the server with spoofed IP's, through the whole range. As soon as I see it respond to my ping, I'll find the IP that works and continue my attack.

The best idea would be to keep the wallet offline, completely offline. And even THATS not 100% secure. There are too many exploits, 0days etc in the wild to be hosting Bitcoin wallet files on a device that is connected to the Internet.

If you insist on a hot-wallet, use strong encryption. Never store the password online. Don't write it down, if you do, write it and immediately hide the piece of paper somewhere. Also, have multiple copies of the wallet. So as soon as an attack occurs, you at least have an opportunity to move funds to another address before the attacker.

Good luck!
staff
Activity: 3458
Merit: 6793
Just writing some code
January 17, 2016, 10:41:17 AM
#6
Encrypt the wallet. Do not allow anyone else to access the VPS. If you can, you should put an IP whitelist so that only your ip address can access the VPS.
Is there any instruction to put the IP on the whitelist?
Depends on your VPS provider. Most of them allow you to whitelist the connections to the server.
legendary
Activity: 1059
Merit: 1020
January 17, 2016, 08:45:44 AM
#5
Encrypt the wallet. Do not allow anyone else to access the VPS. If you can, you should put an IP whitelist so that only your ip address can access the VPS.
Is there any instruction to put the IP on the whitelist?

Encrypt the wallet. Do not allow anyone else to access the VPS. If you can, you should put an IP whitelist so that only your ip address can access the VPS.

The white list IP is pretty important. But if your computer get's compromised and it's on that IP... can lead to bad things.  If you throw a VPS up it is really a hot wallet as it's connected to internet full time, that does not excite me on wallet.

Is there any reason you have to use a hot wallet?  I guess what is project?
I'll run a Wallet on a VPS because it is the hotwallet for the altcoin.
The project is a mining game where user can claim Miners and mine two cryptocurrencies. Therefore the website connect to the Wallet via RPC to send the funds.
Large amounts will be sent after manual verification from personal wallet.

Cheers
Salmen
legendary
Activity: 4256
Merit: 1313
January 17, 2016, 06:50:31 AM
#4
Protecting it is very difficult depending on who you are worried about. A mining pool about 3-4 years ago seemed to have been hacked by a tech at the vps provider. They covered the ~3000 BTC loss themselves.

Revisiting the architecture to minimize the exposure of the hot wallet might be a good idea if this will eventually handle any large sums.


Hi!

In my next project, I would like to run an altcoin on a Ubuntu VPS and integrate this in my project to withdraw.
Therefore I ask how can I protect the funds on a VPS. I have already experience that I can allow a IP to connect with the RPC and the wallet shouldn't be used as root but as a new user.

Cheers
Salmen
legendary
Activity: 1456
Merit: 1000
January 17, 2016, 01:29:20 AM
#3
Encrypt the wallet. Do not allow anyone else to access the VPS. If you can, you should put an IP whitelist so that only your ip address can access the VPS.

The white list IP is pretty important. But if your computer get's compromised and it's on that IP... can lead to bad things.  If you throw a VPS up it is really a hot wallet as it's connected to internet full time, that does not excite me on wallet.

Is there any reason you have to use a hot wallet?  I guess what is project?
staff
Activity: 3458
Merit: 6793
Just writing some code
January 16, 2016, 05:26:56 PM
#2
Encrypt the wallet. Do not allow anyone else to access the VPS. If you can, you should put an IP whitelist so that only your ip address can access the VPS.
legendary
Activity: 1059
Merit: 1020
January 16, 2016, 05:21:43 PM
#1
Hi!

In my next project, I would like to run an altcoin on a Ubuntu VPS and integrate this in my project to withdraw.
Therefore I ask how can I protect the funds on a VPS. I have already experience that I can allow a IP to connect with the RPC and the wallet shouldn't be used as root but as a new user.

Cheers
Salmen
Jump to: