What is JSON/RPC in Ethereum?
It is a native communication protocol for interacting with an Ethereum node. JSON/RPC contains a suite of low-level commands that can be sent to a node, over HTTPS or WebSockets.
Why is it Important to Secure your Ethereum Node?
Ethereum provides the option to interact with its interface using JSON/RPC remotely, so an Ethereum node incorrectly can lead to your account being hacked, as hackers are always running automated scanners to look for insecure nodes and steal ETH.
You may also like | How will Ethereum 2.0 Cut off Energy Consumption
How to Secure your Ethereum Node?
- Restricting on which interface geth node listens
It can be done using the --rpcaddr geth option. We can specify on which interface geth HTTP-RPC server listens. So, running geth with --rpcaddr 0.0.0.0 value can be dangerous as anyone can access the HTTP-RPC remotely. You can use the --rpcaddr value to 127.0.0.1 or private network interface IP.
You can check your server ips with the command:-
ifconfig|grep netmask|awk '{print $2}'
- For Development purposes using SSH/Tunneling to access restricted remote Ethereum node
For development purposes, if you want to access a remote Ethereum node that is bound to listen to a loopback address or a particular network interface, you can use SSH tunneling.
We can set up ssh tunneling in ~/.ssh/config file. We can tunnel from the local computer 8545 port to the server 8545 port.
Host ethereum-testnet # This can be used to specify nicknames or abbreviations for hosts
User ec2-user # ethereum server remote ssh user
Hostname 1.1.1.1 # Server IP address
IdentityFile ~/.ssh/testnet-private-key.pem # path to ssh key on your local machine
LocalForward 8545 localhost:8545 # tunnel command
Now, you can interact with a remote Ethereum node as it's running on your local machine at the 8545 port.
- For Production Purposes
If you are running geth node for a production environment in a cloud-like AWS/Azure/GCP, deploy it in a custom VPC as VPC enables you to build a virtual network in the cloud, through the security group, NACL. Subsequently, you can customize how the network flow works.
- Using Nginx as a reverse proxy and enabling HTTP basic auth
With the nginx basic authentication setup, you can enable basic authentication in which a username and password will be required for authentication.
Also, Explore | A Quick Guide to Ethereum ERC Token Standards
Generating HTTP Auth basic credentials
Command:
htpasswd -c <path-to-store-passwd-file> <username>
Example:
htpasswd -c /etc/nginx/.htpasswd nginx
Enter the password, you will be asked to enter the password two times for verification, and after the successful completion of a command, the file be created at /etc/nginx/.htpasswd.
Make sure to close the 8545 port in your server firewall so it can be accessed through the nginx configured path only, which will be like http://example.com/rpc according to the example below.
server {
listen 80;
listen [::]:80;
server_name example.com;
auth_basic_user_file /etc/nginx/.htpasswd;
location ^~ /rpc {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:8545/;
}
}
- Enabling rpcapi responsibly
If you are running geth with --rpcapi "eth, net,web3,admin, personal" you have admin and personal rpcapi, which can pose some security threats so decide if you want to enable them according to your project requirements.
For more insights into the blockchain development space, visit our market insight section. Or you can connect with our skilled blockchain developers to get started.