search

bitcoin / bitcoin

Bitcoin Core integration/staging tree
https://bitcoincore.org/en/download
MIT License
78.49k stars 36.19k forks source link

rpcallowip does not allow wildcards #4894

Closed nickodell closed 10 years ago

nickodell commented 10 years ago

Current commit: def2fdb4b9b52fa908c11fe2f5a42ea04f8e9f11 OS: Debian Wheezy

This is my bitcoin.conf:

rpcuser=bitcoinrpc
rpcpassword=censored
rpcallowip=*

This is what happens when I run bitcoind:

2014-09-10 23:45:44 Bitcoin version v0.9.99.0-def2fdb (2014-09-10 16:53:54 +0200)
2014-09-10 23:45:44 Using OpenSSL version OpenSSL 1.0.1e 11 Feb 2013
2014-09-10 23:45:44 Using BerkeleyDB version Berkeley DB 4.8.24: (August 14, 2009)
2014-09-10 23:45:44 Default data directory /root/.bitcoin
2014-09-10 23:45:44 Using data directory /root/.bitcoin
2014-09-10 23:45:44 Using config file /root/.bitcoin/bitcoin.conf
2014-09-10 23:45:44 Using at most 125 connections (1024 file descriptors available)
2014-09-10 23:45:44 Using 2 threads for script verification
2014-09-10 23:45:44 Using wallet wallet.dat
2014-09-10 23:45:44 init message: Verifying wallet...
2014-09-10 23:45:44 CDBEnv::Open : LogDir=/root/.bitcoin/database ErrorFile=/root/.bitcoin/db.log
2014-09-10 23:45:44 Bound to [::]:8333
2014-09-10 23:45:44 Bound to 0.0.0.0:8333
2014-09-10 23:45:44 init message: Loading block index...
2014-09-10 23:45:44 Opening LevelDB in /root/.bitcoin/blocks/index
2014-09-10 23:45:44 Opened LevelDB successfully
2014-09-10 23:45:44 Opening LevelDB in /root/.bitcoin/chainstate
2014-09-10 23:45:44 Opened LevelDB successfully
2014-09-10 23:45:51 LoadBlockIndexDB(): last block file = 173
2014-09-10 23:45:51 LoadBlockIndexDB(): last block file info: CBlockFileInfo(blocks=390, size=129792383, heights=319674...320063, time=2014-09-08...2014-09-10)
2014-09-10 23:45:51 Checking all blk files are present...
2014-09-10 23:45:51 LoadBlockIndexDB(): transaction index disabled
2014-09-10 23:45:51 LoadBlockIndexDB(): hashBestChain=000000000000000005dc95167104bb80e9158fccb8e5c577a8ebda0bdb7aec60 height=320063 date=2014-09-10 23:12:42 progress=0.999920
2014-09-10 23:45:51 init message: Verifying blocks...
2014-09-10 23:45:51 Verifying last 288 blocks at level 3
2014-09-10 23:46:25 No coin database inconsistencies in last 153 blocks (70029 transactions)
2014-09-10 23:46:26  block index           41998ms
2014-09-10 23:46:26 init message: Loading wallet...
2014-09-10 23:46:26 nFileVersion = 99900
2014-09-10 23:46:26 Keys: 101 plaintext, 0 encrypted, 101 w/ metadata, 101 total
2014-09-10 23:46:26  wallet                  174ms
2014-09-10 23:46:26 init message: Loading addresses...
2014-09-10 23:46:26 Loaded 13565 addresses from peers.dat  92ms
2014-09-10 23:46:26 mapBlockIndex.size() = 320064
2014-09-10 23:46:26 nBestHeight = 320063
2014-09-10 23:46:26 setKeyPool.size() = 100
2014-09-10 23:46:26 mapWallet.size() = 0
2014-09-10 23:46:26 mapAddressBook.size() = 1
2014-09-10 23:46:26 msghand thread start
2014-09-10 23:46:26 opencon thread start
2014-09-10 23:46:26 net thread start
2014-09-10 23:46:26 dnsseed thread start
2014-09-10 23:46:26 dumpaddr thread start
2014-09-10 23:46:26 Error: Invalid -rpcallowip subnet specification: *. Valid are a single IP (e.g. 1.2.3.4), a network/netmask (e.g. 1.2.3.4/255.255.255.0) or a network/CIDR (e.g. 1.2.3.4/24).
2014-09-10 23:46:26 init message: Done loading
2014-09-10 23:46:26 ext-ip thread start
2014-09-10 23:46:26 addcon thread start
2014-09-10 23:46:26 Shutdown: In progress...
2014-09-10 23:46:26 addcon thread interrupt
2014-09-10 23:46:26 opencon thread interrupt
2014-09-10 23:46:26 dumpaddr thread stop
2014-09-10 23:46:26 dnsseed thread interrupt
2014-09-10 23:46:26 msghand thread interrupt
2014-09-10 23:46:26 StopNode()
2014-09-10 23:46:26 net thread interrupt
2014-09-10 23:46:26 Shutdown: done
laanwj commented 10 years ago

Wildcards are indeed no longer supported. You need to use subnets now. See the error:

Error: Invalid -rpcallowip subnet specification: *. Valid are a single IP (e.g. 1.2.3.4), a network/netmask (e.g. 1.2.3.4/255.255.255.0) or a network/CIDR (e.g. 1.2.3.4/24).

laanwj commented 10 years ago

So in your case to allow everything that would be 0.0.0.0/0 (just ipv4) or ::/0 (ipv4 and ipv6).

luke-jr commented 10 years ago

(note allowing everything to connect to your RPC is begging to get robbed)

laanwj commented 10 years ago

@luke-jr Only if the wallet is enabled. But besides that, in general RPC is not hardened to the internet, there are various DoS attacks possible for someone in the rpcallow list, even if those that don't know the password.

TechNickAI commented 9 years ago

@laanwj thanks for the tip with 0.0.0.0/0, as a replacement for * which is fine for the testnet server we are running. @changetip 1 lunch

changetip commented 9 years ago

Hi @laanwj, @gorillamania sent you a Bitcoin tip worth 1 lunch (32,906 bits/$8.00), and I'm here to deliver it ➔ collect your tip.

Learn more about ChangeTip

laanwj commented 9 years ago

@gorillamania Thanks for the tip. This was in the table in the release notes as well see https://github.com/bitcoin/bitcoin/blob/0.10/doc/release-notes.md#rpc-access-control-changes