Topic: Protect a Wallet on VPS (Read 1081 times)
what? absolutely do not use root to login.. edit sshrd to disallow root logins and su to root if you must from another user, which is the only one which will be permitted ssh access.
So I'll sum the things:
Am I right?
Sounds good.- Add SSH Key
- Whitelist IP
- Firewall securities
- Encrypt Wallet
- Run Wallet as another user
Am I right?
Must I create a new user then log into the user and download and install the wallet or before? I'll use an altcoin.
It would be a good idea to do everything related to the wallet as the other user. Only use root to first login to the machine and then set up the limited user account. 
So I'll sum the things:
Am I right?
Must I create a new user then log into the user and download and install the wallet or before? I'll use an altcoin.
- Add SSH Key
- Whitelist IP
- Firewall securities
- Encrypt Wallet
- Run Wallet as another user
Am I right?
Must I create a new user then log into the user and download and install the wallet or before? I'll use an altcoin.
none of the public facing services should be run as root, not just the wallet.
ensure you have a good firewall running.
limit access to yourself only when it comes to ssh access.
whitelist is alright but research stuff like fwpnop as a much more secure means to lock down your server.
maybe find a better distro than ubuntu if you can.
ensure you have a good firewall running.
limit access to yourself only when it comes to ssh access.
whitelist is alright but research stuff like fwpnop as a much more secure means to lock down your server.
maybe find a better distro than ubuntu if you can.
for starters: anything more than an experimental pool/game should be hosted on a dedicated box.... They're not that expensive, mine costs a little over 300€/year...
On a dedicated box, it's a little harder for a tech to access your data. Cheap VPS's usually use OpenVZ, which is basically just a mounted container on the VPS server (a tech can access all containers from the main server).
KVM is a little better, since the virtual disk isn't actually directly accessible for the tech, but on the other hand it's not that hard either...
If you are really serious about a big pool, i'd go for a physical server with at least 2 disks (raid 1, or raid 5 if you have 3 physical disks). I would encrypt the physical disk AND the home directoy of the bitcoin user (the user running bitcoind). Also, chose a provider that offers DDOS protection, or setup your domain behind the payed version of cloudflare (or both).
I'd whitelist certain IP's on the hardware firewall of your provider (if possible), and use iptables for the same purpose...
On a dedicated box, it's a little harder for a tech to access your data. Cheap VPS's usually use OpenVZ, which is basically just a mounted container on the VPS server (a tech can access all containers from the main server).
KVM is a little better, since the virtual disk isn't actually directly accessible for the tech, but on the other hand it's not that hard either...
If you are really serious about a big pool, i'd go for a physical server with at least 2 disks (raid 1, or raid 5 if you have 3 physical disks). I would encrypt the physical disk AND the home directoy of the bitcoin user (the user running bitcoind). Also, chose a provider that offers DDOS protection, or setup your domain behind the payed version of cloudflare (or both).
I'd whitelist certain IP's on the hardware firewall of your provider (if possible), and use iptables for the same purpose...
Encrypt the wallet. Do not allow anyone else to access the VPS. If you can, you should put an IP whitelist so that only your ip address can access the VPS.
The white list IP is pretty important. But if your computer get's compromised and it's on that IP... can lead to bad things. If you throw a VPS up it is really a hot wallet as it's connected to internet full time, that does not excite me on wallet.
Is there any reason you have to use a hot wallet? I guess what is project?
White list IP's? There are ways around that. Slightly time taking, but easily scriptable. If I were facing a server with such a feature, I would create a script to try pinging the server with spoofed IP's, through the whole range. As soon as I see it respond to my ping, I'll find the IP that works and continue my attack.
The best idea would be to keep the wallet offline, completely offline. And even THATS not 100% secure. There are too many exploits, 0days etc in the wild to be hosting Bitcoin wallet files on a device that is connected to the Internet.
If you insist on a hot-wallet, use strong encryption. Never store the password online. Don't write it down, if you do, write it and immediately hide the piece of paper somewhere. Also, have multiple copies of the wallet. So as soon as an attack occurs, you at least have an opportunity to move funds to another address before the attacker.
Good luck!
Encrypt the wallet. Do not allow anyone else to access the VPS. If you can, you should put an IP whitelist so that only your ip address can access the VPS.
Is there any instruction to put the IP on the whitelist?Encrypt the wallet. Do not allow anyone else to access the VPS. If you can, you should put an IP whitelist so that only your ip address can access the VPS.
Is there any instruction to put the IP on the whitelist?Encrypt the wallet. Do not allow anyone else to access the VPS. If you can, you should put an IP whitelist so that only your ip address can access the VPS.
The white list IP is pretty important. But if your computer get's compromised and it's on that IP... can lead to bad things. If you throw a VPS up it is really a hot wallet as it's connected to internet full time, that does not excite me on wallet.
Is there any reason you have to use a hot wallet? I guess what is project?
The project is a mining game where user can claim Miners and mine two cryptocurrencies. Therefore the website connect to the Wallet via RPC to send the funds.
Large amounts will be sent after manual verification from personal wallet.
Cheers
Salmen
Protecting it is very difficult depending on who you are worried about. A mining pool about 3-4 years ago seemed to have been hacked by a tech at the vps provider. They covered the ~3000 BTC loss themselves.
Revisiting the architecture to minimize the exposure of the hot wallet might be a good idea if this will eventually handle any large sums.
Revisiting the architecture to minimize the exposure of the hot wallet might be a good idea if this will eventually handle any large sums.
Hi!
In my next project, I would like to run an altcoin on a Ubuntu VPS and integrate this in my project to withdraw.
Therefore I ask how can I protect the funds on a VPS. I have already experience that I can allow a IP to connect with the RPC and the wallet shouldn't be used as root but as a new user.
Cheers
Salmen
In my next project, I would like to run an altcoin on a Ubuntu VPS and integrate this in my project to withdraw.
Therefore I ask how can I protect the funds on a VPS. I have already experience that I can allow a IP to connect with the RPC and the wallet shouldn't be used as root but as a new user.
Cheers
Salmen
Encrypt the wallet. Do not allow anyone else to access the VPS. If you can, you should put an IP whitelist so that only your ip address can access the VPS.
The white list IP is pretty important. But if your computer get's compromised and it's on that IP... can lead to bad things. If you throw a VPS up it is really a hot wallet as it's connected to internet full time, that does not excite me on wallet.
Is there any reason you have to use a hot wallet? I guess what is project?
Encrypt the wallet. Do not allow anyone else to access the VPS. If you can, you should put an IP whitelist so that only your ip address can access the VPS.
Hi!
In my next project, I would like to run an altcoin on a Ubuntu VPS and integrate this in my project to withdraw.
Therefore I ask how can I protect the funds on a VPS. I have already experience that I can allow a IP to connect with the RPC and the wallet shouldn't be used as root but as a new user.
Cheers
Salmen
In my next project, I would like to run an altcoin on a Ubuntu VPS and integrate this in my project to withdraw.
Therefore I ask how can I protect the funds on a VPS. I have already experience that I can allow a IP to connect with the RPC and the wallet shouldn't be used as root but as a new user.
Cheers
Salmen
Jump to: