Open Gingeropolous opened 6 years ago
So right now the only way to truly protect an RPC port that I could get info from is to use a port that hopefully won't be scanned.
I don't get it. You set a user/password but want to not use it to login ? Why can't you just use that password ?
I want to offer the remote node on 18089 to anyone, but I also want to be able to access it myself on 18081 with my user and login.
But with that above config file, I would need the user and login on 18089.
Ah, makes sense. You want to access it from the outside (because if not, don't let the firewall allow that port) ?
aaaah well yes , the firewall option would be logical...
but indeed, if I wanted to access it from the outside, then the current system wouldn't allow that... although I guess I could do some tunneling or something.....
So you want to listen on 2 ports, one which is restricted, and the other which is not? And the login would apply to both?
@vtnerd
I want to listen on 2 ports, one which is restricted, and the other is not. The login is only applied to the one that is not restricted.
OK, so I thought of a solution that hopefully won't wreck things too much:
--rpc-restricted-bind-port 18009,user:pass --rpc-bind-port 500
Basically, after a port in [0,655235] an optional "," is allowed for specifying user:pass. The least intrusive method I've come up with.
Oh and this syntax would "override" the global settings.
so, this would also be possible
--rpc-restricted-bind-port 18009 --rpc-bind-port 500,user:pass
because having a user pass on the restricted port is.... not necessary
@moneromooo-monero Has there been any progress with this? I'm running into the same issue.
My usage:
Running monerod with
./monerod --rpc-bind-ip=192.168.1.101 --rpc-bind-port=18082 --rpc-restricted-bind-port=18081 --confirm-external-bind --rpc-login=user:pass
But monerod seems to require those rpc login credentials on both ports. Am I not using this correctly?
Not as far as I know.
@shermand100 , im surprised this runs. isn't 18082 reserved for 0MQ?
@Gingeropolous , Just ran it again to be sure but on a Raspberry Pi 3 running the latest Raspbian Buster:
./monerod --rpc-bind-ip=192.168.1.105 --rpc-restricted-bind-port=18081 --rpc-bind-port=18082 --rpc-login=user:pass --confirm-external-bind --rpc-ssl disabled
Successfully runs the monero daemon.
However I'm having the same issue of both the --rpc-restricted-bind-port=18081
and --rpc-bind-port=18082
require rpc-login=user:pass to access info about the running node.
If it helps understand why I'm trying to do this, it's for the --rpc-restricted-bind-port to be public and use the new --rpc-payment-### options, whilst having an un-restricted internal port to feed node info to a user interface which restricted wont provide, print_cn, start/stop the node etc
Edit:
With the janky use of some if statements in my scripts I think I can work around this issue.
Edit 2:
Nope. Then I figured that by using a --rpc-bind-port=18084
and --rpc-restricted-bind-port=18081
and NOT specifying any login credentials I could keep the un-restricted port behind my firewall. This works on a node without --rpc-payment-###
options. However when I start with payment options enabled I get the error:
E RPC payment enabled, but server is not restricted, anyone can adjust their balance to bypass payment
With reference to #6260, yes that could help.
To work I assume I would use --rpc-bind-ip=0.0.0.0
to have both loopback and external connections.
Then --rpc-restricted-bind-port=18081
and --rpc-bind-port=18084
with added --rpc-payment-allow-free-loopback
Ths would only help if it prevents the E RPC payment enabled, but server is not restricted, anyone can adjust their balance to bypass payment
error
Specifying both --rpc-bind-port and --restricted-rpc-bind-port along side RPC payment and --rpc-payment-allow-free-loopback starts the daemon, no such error.
Thanks, that's great that it gives me a work around for the project I'm working on. I think the title of this issue has been side stepped here but a working solution is still a working solution!
Would love to see this implemented
How about automatically disabling the RPC login for the restricted bind port when public-node=1
is in use?
I would also like to see this. Using a user:pass on the restricted and public RPC node doesn't make sense. I want the user:pass only for myself on non-restricted port.
I would also like to see this. Using a user:pass on the restricted and public RPC node doesn't make sense. I want the user:pass only for myself on non-restricted port.
Same for me, this is madness, set user:pass on full RPC, leave restricted RPC open for public to consume as it's (I assume) most used purpose
OK, so I thought of a solution that hopefully won't wreck things too much:
--rpc-restricted-bind-port 18009,user:pass --rpc-bind-port 500
Basically, after a port in [0,655235] an optional "," is allowed for specifying user:pass. The least intrusive method I've come up with.
Throws exception now, seems it is no longer allowed to do this, at least not from config file as rpc-restricted-bind-port=18009,user:pass
monerod throws exception starting up when doing this
Curious, if we diable user:pass and expose public RPC but firewall the private (full) RPC to local network, if I assume a worst case scenario where my network is pwned and they start smashing my full RPC with no auth, what am I looking at as possible damage from that? There is no wallet functionality or any keys around my monerod, I am just connecting to it from wallet on other devices.
Here's the list of RPC commands. It seems the worst that can happen is the attacker uses your node's CPU to mine for their wallet.
Here's the list of RPC commands. It seems the worst that can happen is the attacker uses your node's CPU to mine for their wallet.
Looks like also they can faf with things like max in/out peers etc. but yah that's all stuff I can tolerate if it happens, cool.
I have the following config file
and when I try to connect
So even though I have 18089 on the restricted port (but open), its still wanting me to provide login information.
I expected it to function where the 18089 port is just passed through the user / pass stuff, and the anything that is not restricted would require the login.