search

shermand100 / PiNodeXMR

Monero Node for Single Board Computers with Web Interface and additional tools pre-configured. Self Installing.
GNU General Public License v3.0
219 stars 41 forks source link

--rpc-restricted-bind-ip argument missing for public nodes #34

Closed PidgeyBE closed 1 year ago

PidgeyBE commented 3 years ago

Hey! Thanks for previous fix. I've found another issue. It seems the --rpc-restricted-bind-ip argument is missing for public nodes, making them unreachable from the outside, even withing the same LAN network. I've added it myself like this: ./monerod --rpc-restricted-bind-ip=$DEVICE_IP --rpc-bind-ip=$DEVICE_IP ... and this seems to work.

Best regards, Pj

shermand100 commented 3 years ago

Ahh, k. I'm fairly sure there's a reason for this one. All the other start commands are designed for PiNodeXMR to operate as your own private node and the flag "--rpc-login=$RPCu:$RPCp" blankets the requirement across the RPC ports for your RPC username:password. When stats are produced for the Web-UI in these modes, the script also passes in your RPC username:password to get permission/acess to these stats. They would otherwise be blocked.

The reason for the 'omission' you've spotted is because the flag"--rpc-restricted-bind-port=$MONERO_PUBLIC_PORT" is used instead and it behaves a little differently. By specifying a restricted RPC port, wallet functions can be served publicly, however it disables the ability for someone public sending in commands like "exit" which would stop your node. Apart from being an inconvenience access to your RPC is fairly limited anyway, but restricted RPC stops this misbehaviour.

Where this causes conflict is that this also block access to PiNodeXMR scripts from generating it's Web-UI stats. The restricted port also doesn't allow "status" or "get_info" and so you'll notice that there is also an open port purely for the purpose of generating stats internally, (or your own LAN wallet connection if you wish).

So in public mode, 18081 should be protected behind your firewall and is open for local services. 18089 (default - but customisable) can safely be forwarded to the outside world to use as a free RPC wallet/node.

I'm still learning with this project as I go, and this bit was configured some time ago. It's a little ugly in setup and there is probably a better way.

I expect that you've added your new settings and it gives great wallet functionality, but I expect the Web-UI stats have stopped working?

With that info if you think of a more elegant way or something I haven't thought of to improve this I'm all up for changing it.

PidgeyBE commented 3 years ago

Hi @shermand100 Thanks for the verbose answer! First of all, indeed I'm trying to run a public node as I saw a call-up on reddit that the Monero network needs more public (p2p) nodes. I'm not an expert myself, so I was just trial-n-erroring towards a working setup.

  1. In the monerod-start-public-free.sh script I have, the --rpc-login=$RPCu:$RPCp flag is not used.

  2. The reason I've added the --rpc-restricted-bind-ip=$DEVICE_IP argument was because I could not connect to the node on port 18089, while I saw (via netstat -tulpen) that the port was open and my node was listening on it. With the default config I get:

    tcp        0      0 127.0.0.1:18089         0.0.0.0:*               LISTEN      1001       3524422    26892/./monerod

    When I try to connect my monero-gui from another pc in the same LAN network to 192.168.0.101:18089, it cannot connect. Also from public/WAN side I cannot connect.

With --rpc-restricted-bind-ip=$DEVICE_IP I get:

tcp        0      0 192.168.0.101:18089     0.0.0.0:*               LISTEN      1001       2430096    18821/./monerod

And in the monero-gui I can connect to 192.168.0.101:18089 and also from public/wan side (after port forwarding) I can connect.

  1. It seems everything in the web-UI is working as expected:

    Monero Version: 0.17.1.8-d3e582e51
Node Status: OK
Current Sync Height: 2264182
Target Block Height: 2264083
Outgoing Connections: 12
Incoming Connections: 72
Network Type: mainnet
TX Pool Size: 45
White Peerlist Size: 1000
Grey Peerlist Size: 5000
Update Available: false

    I think this is expected behaviour, as the web-UI connects to the unrestricted RPC server on 18081.

  2. I think security-wise everything is fine too:

    
pinodexmr@PiNodeXMR:~/monero/build/release/bin $ ./monerod status --rpc-bind-ip=192.168.0.101 --rpc-bind-port=18081
2020-12-31 10:46:26.845 I Monero 'Oxygen Orion' (v0.17.1.8-d3e582e51)
Height: 2264196/2264196 (100.0%) on mainnet, not mining, net hash 1.83 GH/s, v14, 12(out)+7(in) connections, uptime 0d 0h 4m 23s
pinodexmr@PiNodeXMR:~/monero/build/release/bin $ ./monerod status --rpc-bind-ip=192.168.0.101 --rpc-bind-port=18089
2020-12-31 10:47:07.172 I Monero 'Oxygen Orion' (v0.17.1.8-d3e582e51)
Error: Problem fetching info-- rpc_request: 
Height: 2264196/2264196 (100.0%) on mainnet, mining info unavailable, net hash 1.83 GH/s, v14, 0(out)+0(in) connections

pinodexmr@PiNodeXMR:~/monero/build/release/bin $ ./monerod sync_info --rpc-bind-ip=192.168.0.101 --rpc-bind-port=18089 2020-12-31 10:49:55.503 I Monero 'Oxygen Orion' (v0.17.1.8-d3e582e51) Error: Unsuccessful -- json_rpc_request: 


-> On 18089, the publicly exposed port, only limited information is available...
shermand100 commented 1 year ago

Revisiting issues and feel this one is resolved on all public facing node modes with the Ubuntu 22.0X LTS branch of PiNodeXMR. Any remaining nodes on v4 PiNodeXMR encouraged to upgrade to v5 by end of the year before branch deletion.

I've checked all node modes, and all have either --restricted-rpc, --restricted-bind-IP, or --restricted-bind-port specified to apply suitable restrictions to node functions and data to outside users.