Securing your Ethereum node RPC from hackers

Ethereum nodes expose a remote procedure call (RPC) interface to allow external applications to interact with the Ethereum blockchain. However, if not properly secured, this RPC interface can be exploited by attackers to steal funds and take control of the node. This article provides best practices for securing your Ethereum node’s RPC interface against unauthorized access.

Use a firewall

Configure a firewall like UFW or iptables on the server running your Ethereum node. Only open the ports necessary for operation, like port 30303 for peer discovery and port 8545 for RPC. Make sure to restrict access to the RPC port only from your IP address or trusted sources.

For example, to allow RPC connections only from your IP with UFW:

ufw allow from 192.168.1.10 to any port 8545

Don’t expose RPC to public internet

If possible, do not expose RPC to the public internet at all. Instead, tunnel RPC over a VPN connection or SSH tunnel from your local machine. This guarantees that only you have access.

If you must expose RPC, front it with a reverse proxy using authentication as described below. Never expose unlocked accounts via public RPC.

Use security measures on exposed RPC

If you must expose RPC to an untrusted network like the public internet, implement security measures:

Use HTTPS

Encrypt RPC traffic by fronting your node RPC with a reverse proxy like Nginx that supports HTTPS. Obtain a browser-trusted SSL certificate from a certificate authority to enable HTTPS. This encrypts traffic and prevents man-in-the-middle attacks.

Use authentication

Require authentication to access the RPC interface using HTTP basic authentication or JSON web tokens. Create a strong username and password that is passed with all RPC requests. Configure your reverse proxy or RPC server to enforce authentication.

Rate limiting

Implement rate limiting in your reverse proxy to prevent brute force login attempts to your authentication mechanism. Limit concurrent connections and requests per minute as appropriate.

Disable dangerous RPC APIs

By default most Ethereum nodes enable dangerous RPC APIs like personal_ that can expose accounts and private keys if exploited. Audit enabled APIs and disable any that are not absolutely necessary, especially personal_, eth_, miner_, and admin_ methods.

Wallet security best practices

Your node wallet contains the keys to any accounts created by that node. Be sure to follow general account security best practices:

Use a hardware wallet

For significant holdings, use a hardware wallet like a Ledger or Trezor to store keys instead of software wallets. Hardware wallets offer excellent security against malware and server exploits attempting to steal keys.

Encrypt keystore files

If using a software wallet, enable encryption on keystore files using strong passphrases. This prevents an attacker from exporting unencrypted private keys if they gain access to the filesystem.

Don’t share password or keys

Never share your account password or private keys with anyone. Private keys should remain on the node used to create the account.

By taking the proper precautions, you can expose your Ethereum node RPC to other devices securely. Always follow the principle of least privilege – limit access strictly to trusted sources and disable unnecessary functionality.

See also

Scroll to Top