Skip to content

Instantly share code, notes, and snippets.

@thecryptodrive

thecryptodrive/gist:dcfb2659371a58fb6f88213a45aba3c5 Secret

Last active January 29, 2021 16:19
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save thecryptodrive/dcfb2659371a58fb6f88213a45aba3c5 to your computer and use it in GitHub Desktop.
Save thecryptodrive/dcfb2659371a58fb6f88213a45aba3c5 to your computer and use it in GitHub Desktop.
Download ZIP
Shield Wall Attack Mitigation
Raw
gistfile1.txt
# Blurt "Shield Wall" Attack Mitigation
In light of the recent "Witness Properties" spam attack, we have taken a decision to secure all ingress and egress to the chain, using a VPN, and then open things back up over time.
We are going to take control of all blurt endpoints, 100% of them.
We==the witnesses.
Then, each witness will get to use their own judgement to determine who to allow into k50.
(In graph theory, a connected graph G is said to be k-vertex-connected (or k-connected), the intent is to grow consensus witness set by 10 seats each HF to 50.)
We will figure out a way to deal with this troublesome transaction type, as well.
We will get 23 witnesses on zerotier.
Then those witnesses and any others who wish to come for the ride will separate from the public network and continue consensus on their own.
---------------------------------
# 1. Setting up a Virgin Machine
---------------------------------
Recommended Specifications: 4GB RAM, 80GB disc, CPU count is not that crucial as the blockchain does not support multi-threading due to the linear sync properties.
THESE STEPS ARE FOR FRESH MACHINES ONLY AT THIS TIME. WE WILL TRANSITION WITNESS MACHINES ONE BY ONE.
NB: These directions are written for Debian / Ubuntu and you should use Debian 10 Buster or Ubuntu 20.04.
Note: Please do not login to your server via your hosting provider's console, use SSH at all times.
# 1.1. Install dependencies and get your machine up to date:
apt update
apt upgrade -y
apt install -y software-properties-common gnupg vnstat ifstat iftop atop ufw fail2ban
curl -s https://install.zerotier.com | bash
curl -s https://get.docker.com | bash
zerotier-cli join 9f77fc393eda5193
# 1.2. Get your machine's addresses so you can be activated:
zerotier-cli info
(Give results to @jacob or @megadrive via Discord DM for approval)
# 1.3. Set up the node (paste this as one line):
docker run -d --net=host -v blurtd:/blurtd --name blurtd registry.gitlab.com/blurt/blurt/witness:dev /usr/bin/blurtd --data-dir /blurtd --plugin "witness account_by_key account_by_key_api condenser_api database_api network_broadcast_api transaction_status transaction_status_api rc_api" --webserver-http-endpoint 127.0.0.1:8091 --webserver-ws-endpoint 127.0.0.1:8090
# 1.4.a Choke the network - ZeroTier puts all of its traffic over UDP port 9993. So now you can just block everything but that and ssh:
ufw default deny
ufw default deny outgoing
ufw allow ssh
ufw allow 9993/udp
ufw allow out http
ufw allow out https
ufw allow out 9993/udp
ufw allow in on ztuzesm2fn from 0.0.0.0/0
ufw allow out on ztuzesm2fn to 0.0.0.0/0
ufw deny out on eth0 from any to any port 1776
# 1.4b. Install time synchronisation service in order to minimise block collisions (New addition 29/12/2020).
# Note you will need to disable UFW if you previously enabled it:
ufw disable
# Purge NTP and Chrony incase already existent on your machine
apt purge ntp
apt purge chrony
# For Ubuntu 20.04 servers:
apt install systemd-timesyncd
# For Debian 10 servers:
systemctl start systemd-timesyncd
# You can check the status with this command:
timedatectl status
# It should show the following:
# System clock synchronized: yes
# NTP service: active
# 1.4c. Open the outgoing ports for NTP and DNS, so that time synchronisation can work.
ufw allow out ntp
ufw allow out 53/udp
# 1.5. Enable the firewall to block all traffic in and out except for ZeroTier, SSH and time synchronisation.
ufw enable
# 1.6. Check UFW Status
ufw status verbose
# Verify results look like this:
# -----------------------------------UFW STATUS----------------------------
# Status: active
# Logging: on (low)
# Default: deny (incoming), deny (outgoing), deny (routed)
# New profiles: skip
# To Action From
# -- ------ ----
# 22/tcp ALLOW IN Anywhere
# 9993/udp ALLOW IN Anywhere
# Anywhere on ztuzesm2fn ALLOW IN Anywhere
# 22/tcp (v6) ALLOW IN Anywhere (v6)
# 9993/udp (v6) ALLOW IN Anywhere (v6)
# Anywhere (v6) on ztuzesm2fn ALLOW IN Anywhere (v6)
# 123/udp ALLOW OUT Anywhere
# 53/udp ALLOW OUT Anywhere
# Anywhere ALLOW OUT Anywhere on ztuzesm2fn
# 80/tcp ALLOW OUT Anywhere
# 443/tcp ALLOW OUT Anywhere
# 9993/udp ALLOW OUT Anywhere
# 1776 DENY OUT Anywhere on eth0
# 123/udp (v6) ALLOW OUT Anywhere (v6)
# 53/udp (v6) ALLOW OUT Anywhere (v6)
# Anywhere (v6) ALLOW OUT Anywhere (v6) on ztuzesm2fn
# 80/tcp (v6) ALLOW OUT Anywhere (v6)
# 443/tcp (v6) ALLOW OUT Anywhere (v6)
# 9993/udp (v6) ALLOW OUT Anywhere (v6)
# 1776 (v6) DENY OUT Anywhere (v6) on eth0
# ---------------------------------------------------------------------------------
# 1.7. Check your blockchain sync results in Docker:
docker logs blurtd -f
# To stop viewing logs, just press ctrl+c
# 1.8. Check your results in the network:
iftop
# Press Q to exit
----------------------------
# 2. Setup your witness
----------------------------
# The procedure for setting up a new witness or transitioning your old witness is the same, # the only extra step involved in transitioning your existing witness is to at the end of
# the proceedure log into your old server and stop blurtd (systemctl stop blurtd) or simply
# decomission the old server. You should not miss any blocks during this procedure.
# 2.1. Check logs if blockchain is synced:
docker logs blurtd -f
# If it shows blocks with dates prior to current date, then it is not yet synced, expect it # to take 2 to 3 hours to fully sync, ctrl+c to exit logs.
# 2.2. Enter the container, navigate to /blurtd and setup cli_wallet:
# NB it is very important to run the cli wallet from /blurtd)
docker exec -it blurtd /bin/bash
cd /blurtd
# Enter the CLI wallet
cli_wallet
# The first thing you should do is set a password, like:
set_password yourpassword
# Unlock Wallet
unlock yourpassword
# Generate Brain Key
suggest_brain_key
# Copy down its entire output and keep it safely (keepass.info or 1password.com are good password keepers. You'll be using this brain key to control # your Witness.
# Import the generated Brain WIF Key
import_key Insert_brain_wif_priv_key_here
# Import your Blurt account's Active Key (Note: Pre 20 March 2020 Steem keys will also work)
# Note: The key should start with a 5 as per the example key below:
import_key 5KABCDEFGHIJKLMNOPQRSTUVXYZ
# Add private brain key to config.ini to sign blocks as a Witness
# Exit wallet via:
ctrl+d
# Exit Docker
exit
# Edit config.ini
nano /var/lib/docker/volumes/blurtd/_data/config.ini
# Navigate to these lines and edit them as follows, nb to remove the '#' prefix from the command lines
# name of witness controlled by this node (e.g. initwitness )
witness = "blurtaccountname"
# WIF PRIVATE KEY to be used by one or more witnesses or miners
private-key = Insert_brain_wif_priv_key_here
# Remove the line that defines p2p-seed-node and replace with
p2p-seed-node = 192.168.195.141:1776 192.168.195.12:2001 192.168.195.83:2001 192.168.195.186:1776 192.168.195.209:1776 192.168.195.172:1776 192.168.195.140:1776 192.168.195.2:1776 192.168.195.117:1776 192.168.195.61:1776 192.168.195.119:1776 192.168.195.95:1776 192.168.195.145:1776 192.168.195.168:1776 192.168.195.89:1776 192.168.195.96:1776 192.168.195.48:1776 192.168.195.234:1776 192.168.195.127:1776 192.168.195.229:1776 192.168.195.167:1776 192.168.195.72:1776 192.168.195.154:1776 192.168.195.49:1776 192.168.195.114:1776
# Update p2p-endpoint with your server's ZT IP
p2p-endpoint = 192.168.195.x:1776
# Replace the x with the last digit of your server's ZT IP.
# Find your server's ZT IP by doing ip addr and look at the IP of the ztuzesm2fn interface.
# Press ctrl+o and then Enter to save, ctrl+x to exit.
# Restart blurtd
docker restart blurtd
# Enter cli_wallet again and broadcast your witness
docker exec -it blurtd /bin/bash
cd /blurtd
cli_wallet
unlock yourpassword
update_witness "blurtaccountname" "https://your-blog-url" "BRAIN_KEY_PUB_KEY_GOES_HERE" {"account_creation_fee":"100.000 BLURT","maximum_block_size":65536} true
# Updating Fees
update_witness_properties "blurtaccountname" {"key":"BRAIN_KEY_PUB_KEY_GOES_HERE", "account_creation_fee":"100.000 BLURT","maximum_block_size":65536,"account_subsidy_budget": 797, "account_subsidy_decay": 347321, "operation_flat_fee":"0.001 BLURT","bandwidth_kbytes_fee":"0.250 BLURT"} true
# Exit wallet via:
ctrl+d
# Exit Docker
exit
# Check https://blocks.blurtwallet.com/#/witnesses to see if you are producing in a similar block range to other witnesses.
----------------
# 3. Check logs
----------------
# Check logs to see if ufw correctly blocking
docker logs blurtd -f
# ctrl+c to exit
iftop
# ctrl+c to exit
journalctl -f
# ctrl+c to exit
--------------------------------------------------------------------
4. # Install & run net tools & Update Witness Status on Spreadsheet
---------------------------------------------------------------------
apt install net-tools
netstat -avWetn
# Paste results in gist.github.com and place link and update your witness status in: https://docs.google.com/spreadsheets/d/1hDLwjdSqLHv22dDFhKxjZzxmXIyBUDnUfRwuj71EQV4/edit?usp=sharing
# Identify your IP address and publish them on spreadsheet
# To get IPV4 address
curl -4 canhazip.com
# To get IPV6 address
curl -6 canhazip.com
# To get ZeroTier INET address
ip addr
---------------------------------------------------------
# 5. Existing Witnesses disable old server or stop blurtd
---------------------------------------------------------
# Log into the terminal of your old witness server
# Disable blurtd
systemctl stop blurtd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment