Must entry distant bitcoin node for Lightning

0
16


As a substitute of utterly opening up RPC ports to the entire web, I might do one thing fairly totally different. Right here, you are counting on the energy of your RPC auth credentials and the implementation being bugs free. Bitcoind itself strongly discourages to do what was recommended within the different reply:

  -rpcbind=<addr>[:port]
   Bind to given handle to pay attention for JSON-RPC connections. Don't expose
   the RPC server to untrusted networks resembling the general public web!
   This selection is ignored until -rpcallowip can be handed. Port is
   elective and overrides -rpcport. Use [host]:port notation for
   IPv6. This selection will be specified a number of instances (default:
   127.0.0.1 and ::1 i.e., localhost)

I solved it on a community degree: Since I’ve SSH port open anyway (although on a non-common port only for that additional little little bit of obscurity on high of the clearly non-obscurity-reliant safety), I opted for SSH tunneling.

LN Node

Mainly I’ve a systemd service on the LN node that begins after boot and creates an SSH connection to my Bitcoin node. By means of that tunnel, it may possibly entry the node’s RPC port 18332 (testnet). The port shouldn’t be uncovered on to the web this manner, as an alternative solely reachable by way of SSH.

The service is generally stolen from https://avizard.blogspot.com/2021/01/aggressive-yet-sane-persistent-ssh-with.html.

$ cat /and many others/systemd/system/autossh_systemd_unit.service
[Unit]
Description=AutoSSH service to remotely entry RPC of Bitcoin node
#After=network-online.goal
# Use this as an alternative if autossh will work together with the native SSH server
After=network-online.goal sshd.service

[Service]
Consumer=[NONPRIV_USER]
Setting="AUTOSSH_GATETIME=30"
Setting="AUTOSSH_POLL=30"
Setting="AUTOSSH_FIRST_POLL=30"

ExecStart=/usr/bin/autossh -M 0 -N -q 
-o "ServerAliveInterval 10" 
-o "ServerAliveCountMax 3" 
-o "ExitOnForwardFailure sure" 
-p [SSH_PORT] -l [USER] [HOST] 
-i [SSH_KEY] 
-L 18332:127.0.0.1:18332 #sleep 10
# We set 'sleep 10' to make ssh exit in case no TCP connections are forwarded in 10 seconds.
# Helpful to get distant shell exit codes.

ExecStop=/usr/bin/kill $MAINPID
ExecReload=/usr/bin/kill -HUP $MAINPID

Restart=at all times
# On Linux TCP_TIMEWAIT_LEN shouldn't be tunable and set to (60*HZ), about 60 seconds. TCP_FIN_TIMEOUT additionally defauls to 60 seconds.
RestartSec=60

# See systemd.kill(5)
KillMode=course of

[Install]
WantedBy=default.goal

Bitcoin Node

Moreover, the ufw firewall on my Bitcoin node solely permits SSH entry from 2 particular IPs that are the one which my Lightning node runs on and one other one from which I handle my stuff.

$ sudo ufw standing
Standing: energetic

To                         Motion      From
--                         ------      ----
8333                       ALLOW       Anyplace                   # Bitcoin Mainnet
18333                      ALLOW       Anyplace                   # Bitcoin Testnet
[SSH_PORT]/tcp             ALLOW       [LN_NODE_IP]               # SSH 
[SSH_PORT]/tcp             ALLOW       [MGMT_IP]                  # SSH 
8333 (v6)                  ALLOW       Anyplace (v6)              # Bitcoin Mainnet
18333 (v6)                 ALLOW       Anyplace (v6)              # Bitcoin Testnet

Lastly, all customers can solely be logged into with autorized SSH keys and the LN node would not maintain a key to a superuser account, as an alternative the one person that machine (server) can at all times entry is a non-privileged person. This implies in case the LN node will get taken management of, my Bitcoin node remains to be wonderful.

$ cat /and many others/ssh/sshd_config
[...]
Port [SSH_PORT]
[...]
PubkeyAuthentication sure
[...]
PasswordAuthentication no
[...]

Moreover, an IDS can be advisable on each machines, however the setup for that exceeds the scopes of this query.

I might have an interest to listen to what different choices folks use!



Supply hyperlink

Leave a reply