Bitcoin Full Node on RBP3 (revised)

Things you need:

Get Raspbian Lite image

wget --content-disposition https://downloads.raspberrypi.org/raspbian_lite_latest
# NOTE: 2 spaces are needed between hash and filename
echo "5a0747b2bfb8c8664192831b7dc5b22847718a1cb77639a1f3db3683b242dc96 2018-04-18-raspbian-stretch-lite.zip" | shasum -a 256 -c -
# the output should be something like:
2018-04-18-raspbian-stretch-lite.zip: OK

Put image on the SD card

# Extract .img file from .zip archive
unzip 2018-04-18-raspbian-stretch-lite.zip
diskutil list | grep external
# Unmount it
diskutil unmountDisk /dev/disk2
# Copy image to the SD card
sudo dd bs=1m if=2018-04-18-raspbian-stretch-lite.img of=/dev/disk2

Enable ssh

touch /Volumes/boot/ssh

Add WiFi credentials

nano /Volumes/boot/wpa_supplicant.conf
country=XX
ctrl_interface=/var/run/wpa_supplicant GROUP=netdev
update_config=1
network={
ssid="YOUR_SSID"
psk="YOUR_PASSWORD"
}

Unmount

diskutil unmountDisk /dev/disk2

Connect & secure Raspberry

# MAC prefix 'b8:27:eb:' is reserved for RBP Foundation
# see more: http://hwaddress.com/?q=B827EB000000
arp -a | grep 'b8:27:eb'
nmap -A '192.168.0-1.*' -p T:22 --open
ssh pi@192.168.1.102

Users

## On RBP# for pi
passwd
# for root
sudo passwd root
## On RBPsudo adduser bitcoin
Adding user `bitcoin' ...
Adding new group `bitcoin' (1001) ...
Adding new user `bitcoin' (1001) with group `bitcoin' ...
Creating home directory `/home/bitcoin' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for bitcoin
Enter the new value, or press ENTER for the default
Full Name []:
Satoshi Nakamoto
Room Number []:
404
Work Phone []:
Home Phone []:
Other []:
Lost since 2011. Definitely not Craig Wright.
Is the information correct? [Y/n] y
## On RBPexit

Use keys to auth with ssh

## on Mac:ssh-copy-id -i ~/.ssh/id_ed25519.pub pi@192.168.1.102
## On Mac:
ssh pi@192.168.1.102
## On RBP:# edit ssh daemon config file
sudo nano /etc/ssh/sshd_config
# Find `#PasswordAuthentication yes` & below it add:
PasswordAuthentication no
## On RBP:sudo sed -i '/#PasswordAuthentication yes/a PasswordAuthentication no' /etc/ssh/sshd_config

Listen to ssh-audit.py

## on Mac:git clone git@github.com:arthepsy/ssh-audit.gitcd ssh-audit./ssh-audit.py 192.168.1.102
# make sure these are in the file and NOT commented out:
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# make sure these are either gone or commented out:
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
# add the below lines
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
## On RBP:sudo service ssh reload

Permanent IP

Public IP

Configure the Raspberry

All following commands are run on RBP, unless specified otherwise.

Localization, Time Zone, etc…

sudo raspi-config# And if it didn't ask you to, run:
sudo reboot

Get all the shiny updates

sudo apt update
sudo apt -y upgrade

External Hard Drive (optional)

sudo lsblk -o NAME,SIZE,LABEL,MODEL
NAME SIZE LABEL MODEL
sda 931.5G BUP Slim SL
├─sda1 200M EFI
├─sda2 931.2G SILVER
└─sda3 128M
sdb 14.3G Ultra Fit
└─sdb1 14.3G
mmcblk0 59.5G
├─mmcblk0p1 41.8M boot
└─mmcblk0p2 59.4G
sudo blkid
/dev/mmcblk0p1: LABEL="boot" TYPE="vfat"
/dev/mmcblk0p2: TYPE="ext4"
/dev/sda1: LABEL="EFI" TYPE="vfat" PARTLABEL="EFI System Partition"
/dev/sda2: LABEL="SILVER" TYPE="exfat" PARTLABEL="Seagate Backup Plus Drive"
/dev/mmcblk0: PTTYPE="dos"
/dev/sda3: PARTLABEL="Booter"
/dev/sdb1: TYPE="swap"

Format

sudo mkfs.ext4 /dev/sda -L BLOCK-STORAGE
mke2fs 1.43.4 (31-Jan-2017)
Found a gpt partition table in /dev/sda
Proceed anyway? (y,N)
y
Creating filesystem with 244190645 4k blocks and 61054976 inodes
Filesystem UUID:
XXXXXXXX
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
102400000, 214990848
Allocating group tables: done
Writing inode tables: done
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done
sudo lsblk -o UUID,NAME,FSTYPE,SIZE,MOUNTPOINT,LABEL,MODEL

Auto-mount

sudo mkdir /mnt/hdd
sudo blkid | grep /dev/sda
sudo nano /etc/fstab
UUID=XXXXXXXX /mnt/hdd ext4 defaults 0 0
sudo mount -a
ls -hal /mnt/hdd
total 24K
drwxr-xr-x 3 root root 4.0K Mar 6 15:51 .
drwxr-xr-x 3 root root 4.0K Mar 6 15:57 ..
drwx------ 2 root root 16K Mar 6 15:51 lost+found
sudo chown -R bitcoin:bitcoin /mnt/hdd

Symlink

sudo su - bitcoin
mkdir /mnt/hdd/bitcoin
ln -s /mnt/hdd/bitcoin /home/bitcoin/.bitcoin
exit

SWAP

sudo swapoff --all

SWAP to HDD (optional)

sudo nano /etc/dphys-swapfile
#CONF_SWAPFILE=/var/swap
CONF_SWAPFILE=/mnt/hdd/swap
#CONF_SWAPSIZE=100
CONF_SWAPFACTOR=2

SWAP to USB (optional)

sudo apt-get remove dphys-swapfile
sudo apt-get autoremove
sudo blkid


/dev/sda1: UUID="D1AC-C562" TYPE="vfat" PARTUUID="c3072e18-01"
sudo mkswap /dev/sda
sudo blkid


/dev/sda1: UUID="133a2665-f89b-4dc4-9a05-f2acb232b4e9" TYPE="swap"
sudo nano /etc/fstab
UUID=133a2665-f89b-4dc4-9a05-f2acb232b4e9 none swap sw,pri= 5 0 0
sudo swapon -a

Finally, the good stuff

Dependencies

sudo apt install git build-essential libtool autotools-dev automake pkg-config libssl-dev libevent-dev bsdmainutils libboost-system-dev libboost-filesystem-dev libboost-chrono-dev libboost-program-options-dev libboost-test-dev libboost-thread-dev libminiupnpc-dev libzmq3-dev jq

Get Bitcoin client

Latest Bitcoin Core release as of September 2018 is v0.16.3
cd ~git clone -b v0.16.3 https://github.com/bitcoin/bitcoin.gitcd bitcoin

Wallet

Berkeley DB (optional)

./contrib/install_db4.sh $(pwd)

Bitcoin Client

./autogen.sh
export BDB_PREFIX=$(pwd)/db4./configure BDB_LIBS="-L${BDB_PREFIX}/lib -ldb_cxx-4.8" BDB_CFLAGS="-I${BDB_PREFIX}/include" CXXFLAGS="--param ggc-min-expand=1 --param ggc-min-heapsize=32768" --enable-cxx --without-gui --disable-shared --with-pic --enable-upnp-default
./configure CXXFLAGS="--param ggc-min-expand=1 --param ggc-min-heapsize=32768" --enable-cxx --without-gui --disable-shared --with-pic --disable-tests --disable-bench --enable-upnp-default --disable-wallet
# this might take a few hours
make
sudo make install

Configure

sudo su - bitcoin
mkdir ~/.bitcoin
# makes client run in background
daemon=1
# is required by Fail2Ban described below
logips=1
# magic RBP optimisations
maxconnections=40
maxuploadtarget=5000
dbcache=100
maxorphantx=10
maxmempool=50
exit

Create bitcoind service

sudo nano /etc/systemd/system/bitcoind.service
[Unit]
Description=Bitcoin daemon
After=network.target
[Service]
ExecStart=/usr/local/bin/bitcoind -conf=/home/bitcoin/.bitcoin/bitcoin.conf -pid=/home/bitcoin/.bitcoin/bitcoind.pid
# Creates /run/bitcoind owned by bitcoin
RuntimeDirectory=bitcoind
User=bitcoin
Type=forking
PIDFile=/home/bitcoin/.bitcoin/bitcoind.pid
Restart=on-failure
# Hardening measures
####################
# Provide a private /tmp and /var/tmp.
PrivateTmp=true
# Mount /usr, /boot/ and /etc read-only for the process.
ProtectSystem=full
# Disallow the process and all of its children to gain
# new privileges through execve().
NoNewPrivileges=true
# Use a new /dev namespace only populated with API pseudo devices
# such as /dev/null, /dev/zero and /dev/random.
PrivateDevices=true
# Deny the creation of writable and executable memory mappings.
MemoryDenyWriteExecute=true
[Install]
WantedBy=multi-user.target
sudo systemctl enable bitcoind

Security

Uncomplicated Firewall

sudo apt install ufw
sudo ufw limit ssh 
sudo ufw allow from 192.168.1.0/24 to any port 22
sudo ufw allow from 16.32.64.128 to any port 22
# for mainnet …
sudo ufw allow 8333 comment "Bitcoin mainnet"
# … or, for testnet
sudo ufw allow 18333 comment "Bitcoin testnet"
sudo ufw enable
sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp LIMIT IN Anywhere
8333 ALLOW IN Anywhere
22/tcp (v6) LIMIT IN Anywhere (v6)
8333 (v6) ALLOW IN Anywhere (v6)

Fail2Ban

sudo apt install fail2ban
sudo fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd

Run

sudo systemctl start bitcoind

Make sure it works

tail -n 100 -f ~/.bitcoin/debug.log# or (for testnet)
tail -n 100 -f ~/.bitcoin/testnet3/debug.log
bitcoin-cli -getinfo
getnetworkinfo
getwalletinfo
getblockchaininfo
getpeerinfo

Make sure it’s accessible from outside

curl -sL https://bitnodes.earn.com/api/v1/nodes/me-8333/ | jq# or for testnet:
curl -sL https://bitnodes.earn.com/api/v1/nodes/me-18333/ | jq
This is how a successful UPnP might look like

Backup your wallet

Now wait, and wait, and wait…

Trusted Node

Other thingies

Logs

tail -f -n 100 ~/.bitcoin/debug.log# or for testnet
tail -f -n 100 ~/.bitcoin/testnet3/debug.log

Make ssh welcome message pretty

wget -qO- https://gist.githubusercontent.com/meeDamian/0006c766340e0afd16936b13a0c7dbd8/raw/3b7ea819617f645ca4675f7351df70d1622863bd/na%25C3%25AFve-rbp-btc.sh | sudo sh
chmod +x /etc/update-motd.d/20-raspberry-bitcoin
RBP greeting
sudo run-parts --lsbsysinit /etc/update-motd.d

Update Bitcoin Node

sudo systemctl stop bitcoindcd bitcoin
git fetch --tags
git checkout v0.17.0
./autogen.sh
# with wallet
export BDB_PREFIX=$(pwd)/db4
./configure BDB_LIBS="-L${BDB_PREFIX}/lib -ldb_cxx-4.8" BDB_CFLAGS="-I${BDB_PREFIX}/include" CXXFLAGS="--param ggc-min-expand=1 --param ggc-min-heapsize=32768" --enable-cxx --without-gui --disable-shared --with-pic --enable-upnp-default
# without wallet
./configure CXXFLAGS="--param ggc-min-expand=1 --param ggc-min-heapsize=32768" --enable-cxx --without-gui --disable-shared --with-pic --disable-tests --disable-bench --enable-upnp-default --disable-wallet
# for both
make
sudo make install
# start Bitcoin
sudo systemctl start bitcoind

Mistakes? Improvements? Tips?

Edits

Other Guides…

--

--

Bitcoin. Lightning. Golang. Applied cryptography, not Blockchain. https://keybase.io/meedamian . PGP: D8CA 1776 EB92 6549 1D07 CE67 F546 ECBE A809 CB18

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store