tl;dr: AWS mining is against TOC so even if you have credits you will be invoiced and your credits burned. Watch out. These methods only help mitigate or lower the risk of discovery. Share responsibly.
AWS is firewalled af on top of the policy mentioned in tl;dr. A good way is to use a mining proxy with TLS. Even better would be a point-to-point VPN. Using VPN directly is also a good solution - but services that let you configure that you only want one certain port to run via VPN and not the SSH connection that is your lifeline are costly. This document sketches a few solutions, provides some links, and documents one particular approach. And remember, methods of detection will soon encompass deep learning: https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9178288
Assumed Scenario: XMR / Monero mining (CPU RandomX) Assuming no command&control server needed (although available in same repo) AWS EC2 instances ---> VPS somewhere else ---> mining pool
Ranked from high to low protectiveness.
- Point-to-point VPN
- TOR-mining
- TLS-secured uplink to mining proxy
- SOCKS5 uplink to wrap your miner traffic and send to VPS
- SSH tunneling (config headache)
Assumptions: DigitalOcean Droplet with root Any EC2 instance with sudo access. Follow the official guidelines and us private key auth.
- Log into your DOcean droplet
- Create a pair of keys for TLS auth:
openssl req -new -x509 -key priv-key.pem -out cert.pem -days 1825
- Get XMRigCC proxy from https://github.com/Bendr0id/xmrigcc-proxy/releases/
wget <use URL to most recent release from address above>
tar -xvzf <downloaded filename>
- Keep default config mostly, edit these parts (Assuming A) TLS connection to pool AND TLS conection fro miner to proxy B) static IPV4 (IPV6 possible, please refer to rest of official config)!):
sudo nano config.json
"bind": [
{
"host": "0.0.0.0",
"port": DESIRED-PORT,
"tls": true
}
],
"mode": "simple",
"pools": [
{
"algo": "rx/0",
"coin": "XMR",
"url": "YOUR-TARGET-POOL-ADRESS:TLSSSL-COMPATIBLE-PORT",
"user": "YOUR-WALLET-ADDRESS",
"pass": "x",
"rig-id": null,
"keepalive": false,
"enabled": true,
"tls": true,
"tls-fingerprint": null,
"daemon": false
}
],
"tls": {
"protocols": null,
"cert": "cert.pem",
"cert_key": "priv-key.pem",
"ciphers": null,
"ciphersuites": null,
"dhparam": null
},
**Do not let other sources on the web confuse you. You only need to set the cert and cert key you generated in step 2. Simplest way is to store them in the folder with the config.ini, otherwise you need to provide the full path. in TLS the server needs to auth with the client so you will get nowhere if there are errors here. Do not mix up key and cert. ** 5. Ensure the ports you want to use are available. Repeat until you have an OK from a.
a. Check if desired port free: https://ping.eu/port-chk/ or any preffered method (remember that your local machine might be firewalled without you knowing!)
b. If not, check VPS welcome message for any hints on open ports and test those
c. If not, check open ports on console: sudo ufw status, netstat -tulpen
d. If no desirable ports available, free them using ufw AND/OR iptables
sudo ufw allow DESIRED-PORT/tcp
sudo ufw allow DESIRED-PORT
sudo ufw enable
sudo ufw status
iptables -I INPUT 1 -i eth0 -p tcp --dport DESIRED-PORT -j ACCEPT
Check if eth0 is the main network interface used on your VPS. e. GOTO a.
- Run xmrigCC-proxy.
AWS is tricky because of the excellent DDOS protection. This guide is missing the section on how to create gateways ("customer gateways") which allow you to send through the firewall. There are many guides on the internet on how to do this. This of course is a needs to be set up such that it could be a meaningful other traffic. Use other apps to run that use the same outgoing port/gateway.
- Get the miner from https://github.com/Bendr0id/xmrigCC/releases
wget <use URL to most recent release from address above>
tar -xvzf <downloaded filename>
- set up the config to connect to the proxy via TLS (yes ,you need to put in the mining address again as user) If you want to mine a specific algo or a specific coin: run the minerdeamon once with the autosave option active - this will populate the config file with additional params for the algo. For the coin use the coin name in lowercase.
"pools": [
{
"algo": null,
"coin": null,
"url": "IP-OF-YOUR-PROXY-VPS:THE-PORT-YOU-FOUND-DURING-PROXY-SETUP",
"user": "YOUR_WALLET_ADDRESS",
"pass": "x",
"rig-id": null,
"nicehash": false,
"keepalive": false,
"enabled": true,
"tls": true,
"tls-fingerprint": null,
"daemon": false,
"socks5": null,
"self-select": null
}
],
- Profit! Almost!
AWS has a lot of mgmt overhead to setting up gateways. You can use the AWS CLI or do it via the dashboard - both suck. If you are follwing the minimalist path and running EC2 instances, this is how you can set rules on AWS: https://ec2-tutorials.readthedocs.io/en/latest/configure-firewall.html Remember to stick to the ports above and not open the floodgates.