restricted-rpc-bind-port and rpc-bind-port with user not compatible

[Gingeropolous]

I have the following config file

main12@main12-kvm:~$ cat /etc/monerod.conf 
confirm-external-bind=1
rpc-bind-ip=0.0.0.0
rpc-bind-port=18081
rpc-restricted-bind-port=18089
log-level=1
limit-rate=50000
start-mining=mining_address
fluffy-blocks=1
rpc-login=user:pass

and when I try to connect

main12@main12-kvm:~$ monerod --rpc-bind-port 18089 print_height
2018-01-08 04:48:32.009     7ff608710740    ERROR   net.http    contrib/epee/include/net/http_client.h:421  Client has incorrect username/password for server requiring authentication
Error: Couldn't connect to daemon: 127.0.0.1:18089

So even though I have 18089 on the restricted port (but open), its still wanting me to provide login information.

I expected it to function where the 18089 port is just passed through the user / pass stuff, and the anything that is not restricted would require the login.

[Gingeropolous]

So right now the only way to truly protect an RPC port that I could get info from is to use a port that hopefully won't be scanned.

[moneromooo-monero]

I don't get it. You set a user/password but want to not use it to login ? Why can't you just use that password ?

[Gingeropolous]

I want to offer the remote node on 18089 to anyone, but I also want to be able to access it myself on 18081 with my user and login.

But with that above config file, I would need the user and login on 18089.

[moneromooo-monero]

Ah, makes sense. You want to access it from the outside (because if not, don't let the firewall allow that port) ?

[Gingeropolous]

aaaah well yes , the firewall option would be logical...

but indeed, if I wanted to access it from the outside, then the current system wouldn't allow that... although I guess I could do some tunneling or something.....

[vtnerd]

So you want to listen on 2 ports, one which is restricted, and the other which is not? And the login would apply to both?

[Gingeropolous]

@vtnerd

I want to listen on 2 ports, one which is restricted, and the other is not. The login is only applied to the one that is not restricted.

[vtnerd]

OK, so I thought of a solution that hopefully won't wreck things too much:

--rpc-restricted-bind-port 18009,user:pass --rpc-bind-port 500

Basically, after a port in [0,655235] an optional "," is allowed for specifying user:pass. The least intrusive method I've come up with.

[vtnerd]

Oh and this syntax would "override" the global settings.

[Gingeropolous]

so, this would also be possible

--rpc-restricted-bind-port 18009 --rpc-bind-port 500,user:pass

because having a user pass on the restricted port is.... not necessary

[shermand100]

@moneromooo-monero Has there been any progress with this? I'm running into the same issue.

My usage:

Running monerod with

./monerod --rpc-bind-ip=192.168.1.101 --rpc-bind-port=18082 --rpc-restricted-bind-port=18081 --confirm-external-bind --rpc-login=user:pass

But monerod seems to require those rpc login credentials on both ports. Am I not using this correctly?

[moneromooo-monero]

Not as far as I know.

[Gingeropolous]

@shermand100 , im surprised this runs. isn't 18082 reserved for 0MQ?

[shermand100]

@Gingeropolous , Just ran it again to be sure but on a Raspberry Pi 3 running the latest Raspbian Buster:

./monerod --rpc-bind-ip=192.168.1.105 --rpc-restricted-bind-port=18081 --rpc-bind-port=18082 --rpc-login=user:pass --confirm-external-bind --rpc-ssl disabled

Successfully runs the monero daemon. However I'm having the same issue of both the --rpc-restricted-bind-port=18081 and --rpc-bind-port=18082 require rpc-login=user:pass to access info about the running node.

If it helps understand why I'm trying to do this, it's for the --rpc-restricted-bind-port to be public and use the new --rpc-payment-### options, whilst having an un-restricted internal port to feed node info to a user interface which restricted wont provide, print_cn, start/stop the node etc

Edit: With the janky use of some if statements in my scripts I think I can work around this issue.

Edit 2: Nope. Then I figured that by using a --rpc-bind-port=18084 and --rpc-restricted-bind-port=18081 and NOT specifying any login credentials I could keep the un-restricted port behind my firewall. This works on a node without --rpc-payment-### options. However when I start with payment options enabled I get the error:

E RPC payment enabled, but server is not restricted, anyone can adjust their balance to bypass payment

[moneromooo-monero]

Does https://github.com/monero-project/monero/pull/6260 help ?

[shermand100]

With reference to #6260, yes that could help.

To work I assume I would use --rpc-bind-ip=0.0.0.0 to have both loopback and external connections.

Then --rpc-restricted-bind-port=18081 and --rpc-bind-port=18084 with added --rpc-payment-allow-free-loopback

Ths would only help if it prevents the E RPC payment enabled, but server is not restricted, anyone can adjust their balance to bypass payment error

[moneromooo-monero]

Specifying both --rpc-bind-port and --restricted-rpc-bind-port along side RPC payment and --rpc-payment-allow-free-loopback starts the daemon, no such error.

[shermand100]

Thanks, that's great that it gives me a work around for the project I'm working on. I think the title of this issue has been side stepped here but a working solution is still a working solution!

[omurad]

Would love to see this implemented

[0b100100]

How about automatically disabling the RPC login for the restricted bind port when public-node=1 is in use?

[ahmafi]

I would also like to see this. Using a user:pass on the restricted and public RPC node doesn't make sense. I want the user:pass only for myself on non-restricted port.

[thisIsNotTheFoxUrLookingFor]

I would also like to see this. Using a user:pass on the restricted and public RPC node doesn't make sense. I want the user:pass only for myself on non-restricted port.

Same for me, this is madness, set user:pass on full RPC, leave restricted RPC open for public to consume as it's (I assume) most used purpose

[thisIsNotTheFoxUrLookingFor]

OK, so I thought of a solution that hopefully won't wreck things too much:

--rpc-restricted-bind-port 18009,user:pass --rpc-bind-port 500

Basically, after a port in [0,655235] an optional "," is allowed for specifying user:pass. The least intrusive method I've come up with.

Throws exception now, seems it is no longer allowed to do this, at least not from config file as rpc-restricted-bind-port=18009,user:pass monerod throws exception starting up when doing this

[thisIsNotTheFoxUrLookingFor]

Curious, if we diable user:pass and expose public RPC but firewall the private (full) RPC to local network, if I assume a worst case scenario where my network is pwned and they start smashing my full RPC with no auth, what am I looking at as possible damage from that? There is no wallet functionality or any keys around my monerod, I am just connecting to it from wallet on other devices.

[omurad]

Here's the list of RPC commands. It seems the worst that can happen is the attacker uses your node's CPU to mine for their wallet.

[thisIsNotTheFoxUrLookingFor]

Here's the list of RPC commands. It seems the worst that can happen is the attacker uses your node's CPU to mine for their wallet.

Looks like also they can faf with things like max in/out peers etc. but yah that's all stuff I can tolerate if it happens, cool.