To be more specific if you are running a public node it would most likely be a remote host other than your normal desktop. You have to access it somehow right? Unless you are accessing it via LAN only, behind a firewall in a DMZ your entry point will most likely be the attack point as well. As for the premise that dcrd has exploits - we dont know of any. That does not mean there are none. New undisclosed holes/vulnerabilities are found every day in the various internet softwares. If you allow outside hosts to connect to dcrd this could be an attack vector as well. Once an attacker has host access your PoS wallet is in jeopardy. It doesnt even have to be access to your node directly. You could compromise your desktop in some fashion with the latest multiangle pr0n viewer/game key generator/downloaded cracked software/email from Mr. Bogamit from Zimbabwe spreadsheet hiding a trojan installer and an attacker could get access that way for example. There are many ways to circumvent a firewall/hardened server/whatever configuration. You dont always have to break down the front door. I deal with this type of stuff in a paid capacity. Mostly just daily admin type stuff. I see crazy shit sometimes and I am not even doing server forensics. You want to talk to some bat shit crazy paranoid guys, talk to them. I will say this once again - If you do the basics(close ports, reduce port access to allowed IPs, and various standard security hardening) you will most likely, 99.9% chance, not have any issues. But 99.9% is not 100%. Just as 99.999% is not 100%. Dont PoS on your public node. That is all I was trying to convey.
Good points! It's great to talk about this stuff especially since there are no known exploits. And I don't think there is anything in this world that can be guaranteed 100%. At this point, I believe it's just your personal preference not to run PoS on a node that is accepting inbound connections. And that's totally fine. You might be 99.9999% safe by not running a public node with PoS, and I might be 99.999% safe if I do run PoS on a public node. My point is, the difference is negligible. Suggesting that your coins might be in danger because you chose to run PoS on a public node is a misguided assumption IMO. Your coins are no more in danger by running a public node than they are when you connect your computer to the internet. And once we get to this point, we are no longer talking about dcr software flaws, we are talking about OS flaws, which is an inherited risk when doing anything on the internet. If you have anything to backup your statement of not running PoS on a public node other than OS vulnerabiilities, I'd love to hear it.
Disabling UPnP is a given. That is just a bad idea. That will not protect you however from an excel macro script hack or when software you knowingly install from an unknown source installed other payload that it doesnt tell you about. CNET is a great source for crap like that. Software that will install other payload. Hell they want you to install their download helper that is chock full of bullshit. When I did desktop support over a decade+ ago browser toolbars were becoming the rage. Those right there should be banned. They do all kinds of tricks to get you to say yes to installing more software than just the original title. Those are the reputable ones. Others just install whatever they want once you give them permission to install the advertised function. Why do you think Microsoft cancelled the win7 desktop widget program? Unverified software was able to be installed. MS was getting hammered because "its a windows desktop widget. Its part of the OS right? Its from MS right?" No, no they are not. Once that type of compromise has been made any inbound firewall protections you have in place are useless. Your trojanned host just phones home and gets orders/more payload. Most(read as 100% of consumers and 99% of commercial users) people do not limit outbound connections. Typically this is hard to do as outbound connections are not tied to known ports. You cant really even begin to block outbound traffic without some kind of deep packet inspection to see what is legit and what is not. Most consumer level users are not going to do this or even have access to hardware capable of doing it. Hell most commercial users dont do this. Its just to hard to do right unless you have a very limited scope.
I want to connect my mining rigs to a daemon/wallet on a remote pc I'm assuming this will make it a node but i cant find out how to make the daemon listen to my rigs ,,, is this even possible?
This is unrelated to being a public node. But your options are to share the TLS cert that is needed if an RPC server is listening on an interface other than localhost. Or the easiest solution is to simply run dcrd on each miner. No biggie. Using the --connect option to specify the primary dcrd you run will prevent unnecessary internet connections.
That's actually the default for outbound. It was 3 at the start, and later increased: https://github.com/decred/dcrd/commit/5e0163fdeeb40ce3ee639c9574b86c3a746a2a72
So, to add something for public nodes. I have mining rig which is on-line 24/7. Runing public node parallel to mining is not any additional power issue. Also this will not be PoS miner, because PoS is running on my laptop. But I have some questions prior setting up my public node. 1. I think I need static IP provided by my ISP? This is not an issue, I only need to ask my ISP and I will got it for free (after few days). 2. I need to set my public node computer to static IP inside my local network, let say 192.168.88.52 (MikroTik router)? 3. Than I need to route port 9109 to my local network IP, in my case 192.168.88.52 4. Than I start wallet with PoS settings and let say --balancetomaintain=0, --ticketmaxprice=0.5 That should be all I think, only what I need more is to assure computer is running 24/7 smoothly.
1. If you can get a static IP from your ISP, that's the way to go! If not, you can create a free dynamic DNS host on noip.com which will keep track of your public IP through the use of a client software running on a machine inside your network. I haven't tested this yet, but chappjc said dcrd --externalip can accept a URL (which is what the noip client will give you). 2. Static is also the best way to go for this. Some routers will keep a record of which device had which IP and they'll lease the same IP you had before any downtime (reboots, power outages, etc). Either way, you will need to know the IP of your public node on your LAN. 3. Be careful here. Dcrd connects to the blockchain on port 9108. Your wallet runs on localhost on 9109. You would ideally want to block inbound 9109 and accept/forward inbound 9108 to your node on your LAN. 4. If you don't want this miner to participate in PoS at all (no voting, no ticket purchases), don't launch the wallet with --enablestakemining. If you want this mining rig to vote, but not purchase tickets, launch the wallet with --enablestakemining and then use the flags you have in your item #4 above. PS - if you are pool mining, you don't need to run dcrd/dcrwallet. If you are solo mining then you will have to run dcrd. I believe Windows clients still have to launch dcrd with the --notls only if they are going to solo mine.
There is an intentional unconfigurable limit of 8 outbound peers. More outbound peers than that does not help you in any way and is actually worse for both you and the network. This has been tested extremely thoroughly in Bitcoin, including btcsuite (the upstream project for Decred). All you would do by upping your outbound connections is waste valuable slots of the relatively few public peers there are (there are always a much higher number of "leechers" than there are "seeders"). On the other hand, increasing your maximum connections, which really just increases the number of allowed inbound connections, helps the network by ensuring there are more slots available for new nodes and SPV clients which Decred does not have any yet, but it will.
I think I got it. I need to route port 9108 to my node. This is only mining rig for pool mining. As you said I even not have my wallet up, running only dcrd for tracking blocks on network. Before I was running only CGminer without anything else. This than will be public node for support decred network without staking and voting options, wallet balance is 0. So what command than use to bring node up. Only run wallet without any flags except -u and -p?
Thats what I wanted to confirm! Thanks. So upping inbound connections on our public nodes is a good idea? I will change mine to 96 or so. It is on a fast link.
To clarify: Your wallet is separate from dcrd. You don't need either of them online for pool mining. If you want to make a public dcrd node, forward port 9108 through your router/firewall to your host machine where dcrd is running. If all you want to do is run a public node (and not use your wallet on this computer at all), just run dcrd with the command Code: dcrd or by simply double clicking on it if you're using Windows.
The default is 125. Do you intend to decrease it? https://github.com/decred/dcrd/blob/master/config.go#L35
Huh. I was not one of the public nodes. I've manually set up port forwarding (and disabled UPnP) and restarted dcrd, hopefully I'll show up on the list now.