Securing Ethereum JSON RPC from Vulnerabilities

Securing Ethereum JSON RPC from Vulnerabilities

Posted By : Amarnath Arora | 27-Aug-2020

What is JSON/RPC in Ethereum?

 

It is a native communication protocol for interacting with the ethereum node. JSON/RPC contains a suite of low-level commands that can be sent to a node, over HTTPS or WebSockets.

 

Why is it important to secure your Ethereum node?

 

Ethereum provides the option to interact with its interface using JSON/RPC remotely, so an Ethereum node incorrectly can lead to your account being hacked, as hackers are always running automated scanners to look for insecure nodes and steal ETH.

 

How to secure your Ethereum node?

 

- Restricting on which interface geth node listens

 

using the --rpcaddr geth option, we can specify on which interface geth HTTP-RPC server listens to. So, running geth with --rpcaddr 0.0.0.0 value can be dangerous as anyone can access the HTTP-RPC remotely, you can use the --rpcaddr value to 127.0.0.1 or private network interface IP. 

 

You can check your server ips with the command:-

 

ifconfig|grep netmask|awk '{print $2}'

 

- For Development Purpose using SSH/Tunneling to access restricted remote ethereum node

 

For development purposes, if you want to access a remote Ethereum node which is bound to listen on loopback address or a particular network interface, you can use SSH tunneling.

 

We can set up ssh tunneling in ~/.ssh/config file. We can tunnel from local computer 8545 port to server 8545 port.

 

Host ethereum-testnet #This can be used to specify nicknames or abbreviations for hosts
User ec2-user  # ethereum server remote ssh user
Hostname 1.1.1.1 # Server IP address
IdentityFile ~/.ssh/testnet-private-key.pem  # path to ssh key on your local machine
LocalForward 8545 localhost:8545  # tunnel command

 

Now you can interact with remote ethereum node as it's running on your local machine at 8545 port.

 

- For Production Purpose

 

If you are running geth node for production environment in cloud like AWS/Azure/GCP deploy it in a custom VPC as VPC enables you to build a virtual network in the cloud, through security group, NACL, Subnet you can customise how the network flow works.

 

- Using Nginx as a reverse proxy and enabling HTTP basic auth
With the nginx basic authentication set up, you can enable basic authentication in which username and password will be required for authentication. 

Generating HTTP Auth basic credentials

command:
htpasswd -c <path-to-store-passwd-file> <username>

example:
htpasswd -c /etc/nginx/.htpasswd nginx

Enter the password, you will be asked to enter password two times for verification, and after successful completion of a command, file be created at /etc/nginx/.htpasswd

Make sure to close the 8545 port in your server firewall so it can be accessed through the nginx configured path only, which will be like http://example.com/rpc according to the example below.

server {

  listen 80;
  listen [::]:80;
  server_name example.com;

  auth_basic_user_file /etc/nginx/.htpasswd;

  location ^~ /rpc {
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header X-NginX-Proxy true;
      proxy_pass    http://127.0.0.1:8545/;
  }
}



- Enabling rpcapi responsibly

 

If you are running geth with --rpcapi "eth, net,web3,admin, personal" you have admin, personal rpcapi enable which can pose some security threats so decide if you want to enable them according to your project requirements.

About Author

loading
Amarnath Arora

Amarnath has keen interest in cloud technologies & automation. He is very eager to learn and implement new technologies.

Leave a Comment

Name is required

Comment is required

Recaptcha is required.

No Comments Yet.

    Request For Proposal

    Cookies are important to the proper functioning of a site. To improve your experience, we use cookies to remember log-in details and provide secure log-in, collect statistics to optimize site functionality, and deliver content tailored to your interests. Click Agree and Proceed to accept cookies and go directly to the site or click on View Cookie Settings to see detailed descriptions of the types of cookies and choose whether to accept certain cookies while on the site.

    We would love to hear from you!

    Oodles | Blockchain Development Company

    Please enter a valid Phone Number

    Please remove URL from text

    Recaptcha is required.