aboutsummaryrefslogtreecommitdiff
path: root/src/rpc.cpp
diff options
context:
space:
mode:
authorGregory Maxwell <greg@xiph.org>2012-02-05 02:30:43 -0500
committerLuke Dashjr <luke-jr+git@utopios.org>2012-02-07 22:21:13 -0500
commitcac23a5a0b7dc993ea1fb1513159db0af994d0ff (patch)
treeb10ffecae99f339e9f556a69c4a23e5287afd470 /src/rpc.cpp
parentc11e2b8679e13f739a58faf2a3439d4aaed24364 (diff)
Have bitcoind recommend a secure RPC password. Increase invalid password delay.
Help users avoid insecure configurations a bit by recommending a secure RPC password and increasing the incorrect password delay. This may open up a RPC DOS for users with exposed RPC ports and short passwords. Since users shouldn't have exposed RPC ports OR short passwords, the DOS risk is preferable to the compromise risk. Also logs the client IP address for incorrect attempts.
Diffstat (limited to 'src/rpc.cpp')
-rw-r--r--src/rpc.cpp21
1 files changed, 15 insertions, 6 deletions
diff --git a/src/rpc.cpp b/src/rpc.cpp
index a936edbbe4..a703334d6b 100644
--- a/src/rpc.cpp
+++ b/src/rpc.cpp
@@ -2008,16 +2008,23 @@ void ThreadRPCServer2(void* parg)
if (mapArgs["-rpcuser"] == "" && mapArgs["-rpcpassword"] == "")
{
+ unsigned char rand_pwd[32];
+ RAND_bytes(rand_pwd, 32);
string strWhatAmI = "To use bitcoind";
if (mapArgs.count("-server"))
strWhatAmI = strprintf(_("To use the %s option"), "\"-server\"");
else if (mapArgs.count("-daemon"))
strWhatAmI = strprintf(_("To use the %s option"), "\"-daemon\"");
PrintConsole(
- _("Warning: %s, you must set rpcpassword=<password>\nin the configuration file: %s\n"
+ _("Warning: %s, you must set a rpcpassword in the configuration file:\n %s\n"
+ "It is recommended you use the following random password:\n"
+ "rpcuser=bitcoinrpc\n"
+ "rpcpassword=%s\n"
+ "(you do not need to remember this password)\n"
"If the file does not exist, create it with owner-readable-only file permissions.\n"),
strWhatAmI.c_str(),
- GetConfigFile().c_str());
+ GetConfigFile().c_str(),
+ EncodeBase58(&rand_pwd[0],&rand_pwd[0]+32).c_str());
CreateThread(Shutdown, NULL);
return;
}
@@ -2104,12 +2111,14 @@ void ThreadRPCServer2(void* parg)
}
if (!HTTPAuthorized(mapHeaders))
{
- // Deter brute-forcing short passwords
- if (mapArgs["-rpcpassword"].size() < 15)
- Sleep(50);
+ printf("ThreadRPCServer incorrect password attempt from %s\n",peer.address().to_string().c_str());
+ /* Deter brute-forcing short passwords.
+ If this results in a DOS the user really
+ shouldn't have their RPC port exposed.*/
+ if (mapArgs["-rpcpassword"].size() < 20)
+ Sleep(250);
stream << HTTPReply(401, "") << std::flush;
- printf("ThreadRPCServer incorrect password attempt\n");
continue;
}