How Dcrd Works And The Shortage Of Public Dcrd Nodes

Discussion in 'Technical Development' started by David, Mar 25, 2016.

  1. 2017/12/15 - Decred v1.1.2 released! → Release Notes  → Downloads
  1. drunkenmugsy

    drunkenmugsy Sr. Member
    Advocate (Reddit)

    Dec 28, 2015
    405
    218
    Male
    To be more specific if you are running a public node it would most likely be a remote host other than your normal desktop. You have to access it somehow right? Unless you are accessing it via LAN only, behind a firewall in a DMZ your entry point will most likely be the attack point as well. As for the premise that dcrd has exploits - we dont know of any. That does not mean there are none. New undisclosed holes/vulnerabilities are found every day in the various internet softwares. If you allow outside hosts to connect to dcrd this could be an attack vector as well. Once an attacker has host access your PoS wallet is in jeopardy.
    It doesnt even have to be access to your node directly. You could compromise your desktop in some fashion with the latest multiangle pr0n viewer/game key generator/downloaded cracked software/email from Mr. Bogamit from Zimbabwe spreadsheet hiding a trojan installer and an attacker could get access that way for example. There are many ways to circumvent a firewall/hardened server/whatever configuration. You dont always have to break down the front door. I deal with this type of stuff in a paid capacity. Mostly just daily admin type stuff. I see crazy shit sometimes and I am not even doing server forensics. You want to talk to some bat shit crazy paranoid guys, talk to them.
    I will say this once again - If you do the basics(close ports, reduce port access to allowed IPs, and various standard security hardening) you will most likely, 99.9% chance, not have any issues. But 99.9% is not 100%. Just as 99.999% is not 100%. Dont PoS on your public node. That is all I was trying to convey.
     
    David likes this.
  2. chappjc

    chappjc Full Member
    Developer Pool Operator (PoS)

    This and only this.

    You've made a case for disabling UPnP.
     
    David likes this.
  3. David

    David Sr. Member

    Jan 22, 2016
    364
    207
    Male
    USA
    Good points! It's great to talk about this stuff especially since there are no known exploits. And I don't think there is anything in this world that can be guaranteed 100%.

    At this point, I believe it's just your personal preference not to run PoS on a node that is accepting inbound connections. And that's totally fine. You might be 99.9999% safe by not running a public node with PoS, and I might be 99.999% safe if I do run PoS on a public node. My point is, the difference is negligible. Suggesting that your coins might be in danger because you chose to run PoS on a public node is a misguided assumption IMO. Your coins are no more in danger by running a public node than they are when you connect your computer to the internet. And once we get to this point, we are no longer talking about dcr software flaws, we are talking about OS flaws, which is an inherited risk when doing anything on the internet. If you have anything to backup your statement of not running PoS on a public node other than OS vulnerabiilities, I'd love to hear it.
     
    chappjc likes this.
  4. drunkenmugsy

    drunkenmugsy Sr. Member
    Advocate (Reddit)

    Dec 28, 2015
    405
    218
    Male
    Disabling UPnP is a given. That is just a bad idea.
    That will not protect you however from an excel macro script hack or when software you knowingly install from an unknown source installed other payload that it doesnt tell you about. CNET is a great source for crap like that. Software that will install other payload. Hell they want you to install their download helper that is chock full of bullshit. When I did desktop support over a decade+ ago browser toolbars were becoming the rage. Those right there should be banned. They do all kinds of tricks to get you to say yes to installing more software than just the original title. Those are the reputable ones. Others just install whatever they want once you give them permission to install the advertised function. Why do you think Microsoft cancelled the win7 desktop widget program? Unverified software was able to be installed. MS was getting hammered because "its a windows desktop widget. Its part of the OS right? Its from MS right?" No, no they are not.
    Once that type of compromise has been made any inbound firewall protections you have in place are useless. Your trojanned host just phones home and gets orders/more payload. Most(read as 100% of consumers and 99% of commercial users) people do not limit outbound connections. Typically this is hard to do as outbound connections are not tied to known ports. You cant really even begin to block outbound traffic without some kind of deep packet inspection to see what is legit and what is not. Most consumer level users are not going to do this or even have access to hardware capable of doing it. Hell most commercial users dont do this. Its just to hard to do right unless you have a very limited scope.
     
  5. semajjames

    semajjames New Member

    Mar 26, 2016
    50
    1
    Male
    I want to connect my mining rigs to a daemon/wallet on a remote pc I'm assuming this will make it a node but i cant find out how to make the daemon listen to my rigs ,,, is this even possible?
     
  6. chappjc

    chappjc Full Member
    Developer Pool Operator (PoS)

    #26 chappjc, Mar 26, 2016
    Last edited: Mar 26, 2016
    This is unrelated to being a public node.

    But your options are to share the TLS cert that is needed if an RPC server is listening on an interface other than localhost. Or the easiest solution is to simply run dcrd on each miner. No biggie. Using the --connect option to specify the primary dcrd you run will prevent unnecessary internet connections.
     
    David likes this.
  7. chappjc

    chappjc Full Member
    Developer Pool Operator (PoS)

    I believe it's the option.
    Code:
    maxpeers:           Max number of inbound and outbound peers (125)
     
    drunkenmugsy and David like this.
  8. David

    David Sr. Member

    Jan 22, 2016
    364
    207
    Male
    USA
    #28 David, Mar 26, 2016
    Last edited: Mar 27, 2016
    EDIT: The default maximum number of outbound connections is 8.
     
  9. chappjc

    chappjc Full Member
    Developer Pool Operator (PoS)

    David likes this.
  10. drunkenmugsy

    drunkenmugsy Sr. Member
    Advocate (Reddit)

    Dec 28, 2015
    405
    218
    Male
    Wow ty. quick response. Moved to FAQ as it was off topic.
     
  11. Johnshpon3

    Johnshpon3 Member

    Dec 25, 2015
    210
    86
    Male
    Telecommunications
    Slovenia
    So, to add something for public nodes. I have mining rig which is on-line 24/7. Runing public node parallel to mining is not any additional power issue. Also this will not be PoS miner, because PoS is running on my laptop.
    But I have some questions prior setting up my public node.
    1. I think I need static IP provided by my ISP? This is not an issue, I only need to ask my ISP and I will got it for free (after few days).
    2. I need to set my public node computer to static IP inside my local network, let say 192.168.88.52 (MikroTik router)?
    3. Than I need to route port 9109 to my local network IP, in my case 192.168.88.52
    4. Than I start wallet with PoS settings and let say --balancetomaintain=0, --ticketmaxprice=0.5
    That should be all I think, only what I need more is to assure computer is running 24/7 smoothly.
     
  12. semajjames

    semajjames New Member

    Mar 26, 2016
    50
    1
    Male
    Thanks does this mean I still only use one wallet address ?
     
  13. David

    David Sr. Member

    Jan 22, 2016
    364
    207
    Male
    USA
    1. If you can get a static IP from your ISP, that's the way to go! If not, you can create a free dynamic DNS host on noip.com which will keep track of your public IP through the use of a client software running on a machine inside your network. I haven't tested this yet, but chappjc said dcrd --externalip can accept a URL (which is what the noip client will give you).
    2. Static is also the best way to go for this. Some routers will keep a record of which device had which IP and they'll lease the same IP you had before any downtime (reboots, power outages, etc). Either way, you will need to know the IP of your public node on your LAN.
    3. Be careful here. Dcrd connects to the blockchain on port 9108. Your wallet runs on localhost on 9109. You would ideally want to block inbound 9109 and accept/forward inbound 9108 to your node on your LAN.
    4. If you don't want this miner to participate in PoS at all (no voting, no ticket purchases), don't launch the wallet with --enablestakemining. If you want this mining rig to vote, but not purchase tickets, launch the wallet with --enablestakemining and then use the flags you have in your item #4 above.

    PS - if you are pool mining, you don't need to run dcrd/dcrwallet. If you are solo mining then you will have to run dcrd. I believe Windows clients still have to launch dcrd with the --notls only if they are going to solo mine.
     
    chappjc likes this.
  14. davecgh

    davecgh Hero Member
    Developer Organizer

    Dec 31, 2015
    642
    788
    Male
    United States
    There is an intentional unconfigurable limit of 8 outbound peers. More outbound peers than that does not help you in any way and is actually worse for both you and the network. This has been tested extremely thoroughly in Bitcoin, including btcsuite (the upstream project for Decred). All you would do by upping your outbound connections is waste valuable slots of the relatively few public peers there are (there are always a much higher number of "leechers" than there are "seeders").

    On the other hand, increasing your maximum connections, which really just increases the number of allowed inbound connections, helps the network by ensuring there are more slots available for new nodes and SPV clients which Decred does not have any yet, but it will.
     
    chappjc, drunkenmugsy and David like this.
  15. David

    David Sr. Member

    Jan 22, 2016
    364
    207
    Male
    USA
    Thanks @davecgh. I've updated my post!
     
  16. Johnshpon3

    Johnshpon3 Member

    Dec 25, 2015
    210
    86
    Male
    Telecommunications
    Slovenia
    I think I got it. I need to route port 9108 to my node. This is only mining rig for pool mining. As you said I even not have my wallet up, running only dcrd for tracking blocks on network. Before I was running only CGminer without anything else.
    This than will be public node for support decred network without staking and voting options, wallet balance is 0.
    So what command than use to bring node up. Only run wallet without any flags except -u and -p?
     
  17. drunkenmugsy

    drunkenmugsy Sr. Member
    Advocate (Reddit)

    Dec 28, 2015
    405
    218
    Male
    Thats what I wanted to confirm! Thanks. So upping inbound connections on our public nodes is a good idea? I will change mine to 96 or so. It is on a fast link.
     
  18. David

    David Sr. Member

    Jan 22, 2016
    364
    207
    Male
    USA
    To clarify: Your wallet is separate from dcrd. You don't need either of them online for pool mining. If you want to make a public dcrd node, forward port 9108 through your router/firewall to your host machine where dcrd is running. If all you want to do is run a public node (and not use your wallet on this computer at all), just run dcrd with the command
    Code:
    dcrd
    or by simply double clicking on it if you're using Windows.
     
  19. chappjc

    chappjc Full Member
    Developer Pool Operator (PoS)

    drunkenmugsy likes this.
  20. ClokworkGremlin

    ClokworkGremlin Sr. Member

    Jan 10, 2016
    535
    381
    Male
    Whatever I want.
    Huh. I was not one of the public nodes. I've manually set up port forwarding (and disabled UPnP) and restarted dcrd, hopefully I'll show up on the list now.
     
    David likes this.

Share This Page