CHILLYCALENDAR2's Posts

Lessons learned security tips for those of you who have existing Bitcoin related domains and are setting up a new BTCPay Server instance

Posted 3 months ago

Hi Everyone,

Over the last few days I have been setting up a new BTCPay Server instance for use as a development test box.  It took a few days before my ISP had fully provisioned my new IP Address for this.  I spent the time setting up the new BTCPay Server instance from the command line, configuring my routers NAT settings etc but I couldn't access the https web interface until my new ip address went live.

I noticed when I woke up this morning that the new ip address went live overnight and the server was publicly accessible but I had not yet registered myself on it as an admin in the user interface (because I couldn't access the web interface for the registration process until such time as the new ip address went live and the server was accessible from the internet via the ANAME record I created on my webhost).

In the short time that the new BTCPay Server instance was publicly accessible somebody else registered the admin account on it

On the BTCPay website there is this (emphasis mine):

https://docs.btcpayserver.org/FAQ/Deployment/#how-much-does-it-cost-to-run-btcpay-server

"After initial deployment, I can't register and I don't have a login yet?
When you deploy your BTCPay Server, you should first register a user (during server synchronization). This user is automatically the server admin. If your BTCPay only shows Login in the header menu, and you are unable to register the first user after initial deployment, someone else has registered on your server as the admin. Although this is unlikely to occur (the user would need to know and watch your BTCPay domain name), they had access to your ssh private keys, thus you should redeploy a new server for security reasons"

I have of course for security reasons deleted the new test box BTCPay instance and set BTCPay up again from scratch.  The Linux box itself was not compromised.

Lessons learned:

1. Don't set your newly provisioned IP address that points to your new BTCPay Server box in your routers NAT settings as live until such time as you're certain your ISP has provisioned the new address and it's ready to go at their end (and you're awake and working).

2. There are people out there on the internet who are watching BTCPay Server (and likely other's like Umbrel etc) related domains.  Likely they have scripts running checking for new BTCPay Server instances.  When they find one they pounce and register an admin account before you get the chance to register the account.

I hope these lessons learned may be beneficial for others setting up BTCPay Server instances in particular.

Best Regards,

Clarke

Clarke Towson, BCMS (Bachelor of Computer & Mathematical Science)
CEO
INTJ Billing

m: +61 432 359 166
a: 7 Cullen Court Spotswood Victoria 3015 AUSTRALIA
 
Bitcoin Lightning Network Node Name: CHILLYCALENDAR 
Node Public Key: 025124c73ef7ecf527e0114ead02a0cc6e3ecbc0c99474ee3f5506c4503b089693 
 



I'm working on building up capacity on this my secondary node CHILLYCALENDAR2

Posted 3 months ago

Hi Everyone,

Just a quick note to let you all know that it's my intention to build up more capacity and open channels on this my secondary lightning node CHILLYCALENDAR2. 

My primary node CHILLYCALENDAR I have worked over the past 6 months to build up capacity on and I think I have enough open channels on that node.  I still have a lot of pool credits available on that node but I'm not actively seeking any more channels on it at the moment.  I'm very proud that with your help we have built it into Australia's third highest ranked node in terms of capacity: https://1ml.com/location/au 

Please if you're interested in my liquidity credits on CHILLYCALENDAR2 please create opening requests to this node and I will approve them.  I seek channels between 1 to 5 million sats.  I will participate in more liquidity swaps as well from this secondary node.

I have 3 nodes in total.  My primary node which is  CHILLYCALENDAR, my secondary node which is  CHILLYCALENDAR2 and a tertiary node which will go live online next week which will serve as a development/test node.  All major changes/updates, tests etc will be performed on the tertiary node before being rolled out to my secondary and then my primary node.

My overarching goal is to be able to provide 2 lightning network nodes for increased resilience, excellent uptime and system availability and to continue running my digital exchange and remittance business in Australia and Thailand. 

Best Regards,

Clarke

Clarke Towson, BCMS (Bachelor of Computer & Mathematical Science)
CEO
INTJ Billing

m: +61 432 359 166
a: 7 Cullen Court Spotswood Victoria 3015 AUSTRALIA
 
Bitcoin Lightning Network Node Name: CHILLYCALENDAR 
Node Public Key: 025124c73ef7ecf527e0114ead02a0cc6e3ecbc0c99474ee3f5506c4503b089693 
 
Lightning Network Node
CHILLYCALENDAR2
Capacity: 69,798,451 SAT
Channels: 27