Securing your Ethereum node RPC from hackers
Securing a computer system has traditionally been a battle of wits: the penetrator tries to find the holes, and the designer tries to close them. — Gosser
Recently a friend’s Ethereum node got “hacked” and his Ether stored in the Geth wallet got transferred away via an exposed RPC port command, the transfer can be seen below.
The image below shows recent transfers to the hackers account
Unlike most Bitcoin client, by default most Ethereum client RPC is not password protected.
Nonetheless there are various ways of securing Ethereum nodes RPC.
Some of these approaches include:
- Choosing a strong password for accounts
- Using Nginx as Reverse Proxy and HTTP Basic Auth
- Setting up Firewall using UFW
Installing an Ethereum Client
Ethereum has two major clients Parity and Geth. Installing either would work fine to interact with the Ethereum network.
You can install either by following either of these articles:
Configuring your node
Never Ever Do This!!!
When enabling RPC access on GETH nodes, one should not allow external access to the RPC with accounts unlocked. e.g.
$ geth — rpc — rpcaddr 0.0.0.0 — rpcport 8545 — rpcapi “db, eth, net, web3, personal” — ipcapi “admin,eth,debug,personal,web3” — unlock <addrs>
You are basically allowing external access to your ethereum account and an attacker can easily transfer out the ether stored in your wallet when/if you unlock your account.
Examples of people getting hacked due to this error
Securing your Ethereum Nodes
1. Choosing a Strong Random Password For Accounts
Choose a strong and random password when creating accounts on either Parity or Geth. One can generate password from the following sites:
- https://passwordsgenerator.net/
- https://lastpass.com/generatepassword.php
- https://www.random.org/passwords/
2. Using Nginx HTTP basic Auth
Installing Nginx
You would need Nginx installed and configured on your server, which you can do by following this Nginx article.
Setting HTTP Auth basic credentials
In this step, you’ll create a password for the user running the node.
That password and the associated username will be stored in a file that you specify. The password will be encrypted and the name of the file can be anything you like.
$ sudo htpasswd -c /etc/nginx/.htpasswd nginx
You can check the contents of the newly-created file to see the username and hashed password.
$ cat /etc/nginx/.htpasswd
Updating the Nginx Configuration
Now that we have created the HTTP basic auth credential, the next step is to update Nginx configuration to see it.
$ sudo nano /etc/nginx/sites-available/default
Update the file to contain these contents
server {
listen 80;
listen [::]:80;
# ADDED THESE TWO LINES FOR AUTHENTICATIONauth_basic “Protected Ethereum client”;auth_basic_user_file /path/to/passwords;
server_name example.com; location / {
proxy_pass http://localhost:8545/;
proxy_set_header Host $host; }}
Testing
To apply the changes, first reload Nginx.
$ sudo service nginx reload
You can now access the RPC url at
http://<USERNAME>:<PASSWORD>@mydomain.com
Improvement
You can also install a free SSL certificate that can be gotten from letsencrypt you can find the tutorial here. Link Here
3. Setting up Firewall using UFW
UFW, or Uncomplicated Firewall, is an interface to iptables that is geared towards simplifying the process of configuring a firewall.
Install UFW
$ sudo apt-get install ufw
Set Up Default Policies
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing
Allow Ethereum network port
We would also enable ethereum network so that our nodes can be able to communicate and sync with the public blockchain network.
The Ethereum network port is 30303,
$ sudo ufw allow 30303
Enable RPC port
We would be only allowing connection to our ethereum client from our trusted nodes. The default RPC port for Ethereum port is 8545.
$ sudo ufw allow from <IP addr> to any port 8545
For example if my external server IP addr is 192.148.16.1
$ sudo ufw allow from 192.148.16.1 to any port 8545
If you are using a different a different RPC port from 8545 then it should be specified.
Enable UFW
To enable UFW
$ sudo ufw enable
Allow Other Connections
You can also enable other ports as neccessary e.g.
HTTP — port 80
HTTP connections, which is what unencrypted web servers use, can be allowed with this command:
$ sudo ufw allow http
Your firewall should now be configured to allow connections to Ethereum RPC and network port. Be sure to allow any other incoming connections that your server would need, while limiting any unnecessary connections, so your server will be functional and secure.
Conclusion:
Security is a major discussion in the blockchain ecosystem. There are hackers everywhere looking to steal away your coins.
Stay safe out there.
Further Reading:
https://www.linode.com/docs/web-servers/nginx/use-nginx-reverse-proxy/
Join Coinmonks Telegram Channel and Youtube Channel get daily Crypto News
Also, Read
- Copy Trading | Crypto Tax Software
- Grid Trading | Crypto Hardware Wallet
- Crypto Telegram Signals | Crypto Trading Bot
- What are the Trading Signals? | Bitstamp vs Coinbase
- ProfitFarmers Review | How to use Cornix Trading Bot
- How to Buy Domain Name on Unstoppable Domains?
- Crypto Tax in India | altFINS Review | Prokey Review
- Best Crypto Exchange | Best Crypto Exchange in India
- Best Crypto APIs for Developers
- Best Crypto Lending Platform
- An ultimate guide to Leveraged Token