We had a user report in that a lot of nodes that are out there are running with port 14002 open to the public. And that allows someone from the outside to monitor that node’s performance as well as possibly impacting it in some way, such as a DoS type attack. Suggest that node operators check to make sure they are not leaving open unnecessary ports to the public which can impact their node’s privacy and performance. No data is at risk here, but it’s best to keep things tidy.
I’d say it’s doubtful that people who actually read this announcement do have open ports. There might be a few but personally I think the majority just set up the node at some point in the past and “forgot” about it and certainly doesn’t follow forum posts. Maybe if you’d send an email to all snos you might be able to reach more of them.
Basic authentication against what? If you update nodes, what password are people supposed to enter? Their wallet address might work?
But yeah, the easiest way to protect those people you can’t reach would be to implement some authentication.
But every type of authentication presents attack vectors you have to think about, which is a rather unnecessary effort for something that was only supposed to be reachable from the local Lan.
Mine are open because i like to keep an eye on them when I’m out and about.
Other than the privacy consideration, is there any significant security issue with making that information public? Can an attack be mounted on my wallet just by making its address public?
The person reporting the issue provided a list of about 200 nodes that were publicly accessible and provided the list. Now, while we control the information shared publicly on this forum, if that person (Or other persons) decide to share that list with people outside this forum, your node may be on a list that is shared with people who may be interested in not only seeing how your node is performing, and how much your earnings are, and your wallet address, but also creating additional traffic for your node.
It’s not critical. We recommend you don’t expose ports to the public. I’m not going to cross reference an IP list against a node contact list and send emails to node operators. Having this port opened publicly is their choice, and I think you pretty much have to make a conscious decision to open that port publicly in your router/firewall to expose it. What I’m saying is that people are aware of your node and are actively connecting to it, and examining your stats and sharing it with others. If you’re fine with that, that’s cool. Some may not be.
Well whether the list is available in the forum or not, it’s not difficult to obtain it as you just need to scan an ip range for the port response.
And some of your arguments are not valid in my opinion:
I don’t need the dashboard port for that. Every node has an open port for storj data. And with that port I could attack any node, dashboard accessible or not.
(But it is a lot easier to do a ddos attack on the dashboard port as the api is quite heavy and too many requests might kill your device).
That’s not what I was asking. You could just send out an email to all snos, just as you posted a warning on the forum.
Problem people dont actually listen to the warning and think its ok to open an unsecure web server to the public. I can tell you one thing once someone wants to take down people on the storj network and the people who expose the dashboard will get it first hand.
Kevin, I’m not here to argue your points. It is an informational message to the SNO’s about leaving the port open and that malicious actors may be taking advantage of it. If you’re not concerned about it, that’s fine. Some may be. I’ve noted the rest of your concerns.
If you are running a local node, easy: Close the 14002… ports and still have access to your dashboard loacally 192.168.X.X.
If you are running a remote node you already have all your tools to access that node: putty-SSH (or similar). Putty indeed can forward ports once the SSH-tunnel is set.
What? I’m Happy to open a port on 14002 that says I earn $20,000,000 a month. Isn’t true but I could very easily. That’s a stupid argument.
There has been talk of allowing the dashboard to control things things like opting in to zkSync. I think the post with a lot or IP addresses open the the world is proof this shouldn’t really happen and I’d be against it (without some kind of auth). Some people don’t understand what they’re sharing.
Great but how do you fake an IP to show a fake income?
Apparently you’re answering a censored message hopefully you still received the answer in your mailbox
I kept all my earnings since the beginning and the STORJ token went from $.11 to $2 not because of any progress in the Storj platform progress but the computer traders founds it as good target.
Some platforms when they censure a message have at least the politeness to send the sender an email explaing the reasons. Apparently not on this platform.
For some reasons my answer could not be delivered but it was:
Thanks to answering my concerns.
When a potential customer see you are charging him $7/TB while suppliers are paid $20/TB what do think they expect on the company future?
I don’t think I’m bad mouthing the the platform, but just expressing basic concerns about a system which doesn’t disclose anything about its customer base, test data or SNO profit.
I made a $10k profit on your system at least $9k after investments, definitively not something against you. I would love to have some more transparency on the system operation, we are in the same boat I’m part of your network.
I don’t see any problem if you reduce the egress fee, its free for most of us and if you lower the fee the traffic will increase, but storage is not, we need HDD to store it and HDD are an investment.
It’s fairly common for startups to lose money during their first years for onboarding customers. And every potential customer that looks that closely, will also see that storj has lots of tokens locked up that can be used to pay SNOs.
You don’t fake an IP, you create a web service on port 14002 on your own IP saying whatever you like. Basically whether port 14002 points at a real node dashboard or a fake one with made up data would be hard to determine. So I wouldn’t trust anything.