forked from Someguy123/-Coin
-
Notifications
You must be signed in to change notification settings - Fork 2
/
SECURITYandCHANGES.txt
75 lines (60 loc) · 3.27 KB
/
SECURITYandCHANGES.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
wwortel March 2014
Modifications to '+Coin WebUI'
+ removed 2 decimal rounding in calculations and introduced 2 decimal text formatting
+ introduced euro
+ replaced exchange rate source; now is btc-e.com
+ put Daemon info on separate tab
+ make page Tabs in header highlighted according to chosen page
+ clarified Balance wordings
+ make "" account indeed show as "" rather than nothing
+ introduce move command to move funds between accounts in a wallet
+ check on sufficient funds before sending or moving
+ replaced 'isset' checks by value checks because POST can set values without actual contents
SECURITY NOTES !!!!!
The choice of http protocol in the example 'config.php' assumes that the webserver, e.g. apache2,
that will serve this WebUI to the Internet has https capability and is running on the same host or on a LAN as is the bitcoind daemon.
I.e. the RPC communication web server <> bitcoind daemon is not open to the Internet and limited to localhost 127.0.0.1.
The use of https via Internet to use this WebUI is essential because wallet passwords and WebUI authentication information will have to be sent via the Internet!
This WebUI should not be http accessible and http calls to the subdirectory that holds this Coin WebUI package
need to be redirected to https service, using the web server's directives.
Then Conditional Access needs to be installed to have access to the WebUI.
Example directives for Apache2; the subdirectory where BitcoindWebUI resides is called 'coinmaster' in this example:
In the //etc/apache2/sites-available/<Your FQDN for the http site>
### Coinmaster
Redirect /coinmaster https://Your_FQDN/coinmaster # so any call getting here via http gets redirected
<Directory /path/to/where/webcontent/coinmaster>
Order allow,deny
Deny from all # close this directory anyway
</Directory>
### end Coinmaster
In the //etc/apache2/sites-available/<Your FQDN for the https site>
### Coinmaster
<Directory /path/to/where/webcontent/coinmaster>
AuthType Basic
AuthName "Bitcoin Daemon & Wallet +Coin WebUI"
AuthBasicProvider file # use an encrypted 'passwords' file
AuthUserFile /path/to/where/passwords
Require user <one or more usernames as defined in 'passwords'>
</Directory>
### end Coinmaster
The 'passwords' file should be somewhere not web accessible.
It can be generated using the apache utility 'htpasswd'.
Automatic back-up of the wallet(s) is not part of this WebUI but can be easily implemented with a script.
Example for Linux and to be executed regularly as cron job:
walletbackup.sh (e.g. put in /usr/sbin)
#!/bin/sh
# Bitcoind Wallet backup and email script
# Uses bitcoin-cli and scp to send the file
#
IFS=
walletname='wallet_'`date -u +%Y%m%d%H%M`'.dat'
localpath='/tmp/'${walletname}
remotepath='/path/to/'${walletname}
bitcoin-cli -conf=/etc/bitcoin/bitcoin.conf backupwallet ${localpath}
scp -P <ssh port number> -i //etc/ssh/ssh_host_rsa_key ${localpath} <user>@<FQDN>:${remotepath} && rm ${localpath}
exit
###
This will send the backup securely to a computer of choice on the internet.
Prepare the ssh server to accept authentication per certificate and introduce the rsa key of the host with bitcoind into the authorized_keys file of the server that gets the backup sent.
wwortel accepts donations!
BTC address: 1LkzWBvy847UNvAcJHjMJJbpHcNY8VnTL