Btcd's default for rpc listening is insecure

[arnuschky]

Currently, btcd listens to all interfaces once rpc is enabled. This is potentially insecure. I would propose 127.0.0.1 as a sensible default, similar to the behavior of Bitcoin Core.

If not, this important difference must be specified in #208

[davecgh]

This is not accurate. If there is no rpcuser or rpcpass specified, the RPC server is not enabled at all. Once those are specified, the RPC only listens on localhost for IPv4 and IPv6.

Are you sure you're not seeing the Bitcoin peer server output message and thinking that is the RPC server?

Here is the output with no configuration file at all:

$ ./btcd
16:41:57 2015-01-11 [WRN] BTCD: open /home/davec/btcd/btcd.conf: The system cannot find the file specified.
16:41:57 2015-01-11 [INF] BTCD: Version 0.9.0-beta
16:41:57 2015-01-11 [INF] BTCD: Loading block database from '/home/davec/btcd/data/mainnet/blocks_leveldb'
16:41:57 2015-01-11 [INF] BTCD: Block database loaded with block height 0
16:41:57 2015-01-11 [INF] BMGR: Generating initial block node index. This may take a while...
16:41:57 2015-01-11 [INF] BMGR: Block index generation complete
16:41:57 2015-01-11 [INF] SRVR: Server listening on [::]:8333
16:41:57 2015-01-11 [INF] SRVR: Server listening on 0.0.0.0:8333

Note those last two lines are the Bitcoin peer server, not the RPC server. The RPC server is not running at all here because the rpcuser and rpcpass are not specified. Now, let's specify them (ordinarily you would do this in your config file and NOT on the command line, but doing it here to illustrate):

$ ./btcd --rpcuser=arnuschky --rpcpass=somedecentpassword
16:47:23 2015-01-11 [WRN] BTCD: open /home/davec/btcd/btcd.conf: The system cannot find the file specified.
16:47:23 2015-01-11 [INF] BTCD: Version 0.9.0-beta
16:47:23 2015-01-11 [INF] BTCD: Loading block database from '/home/davec/btcd/data/mainnet/blocks_leveldb'
16:47:23 2015-01-11 [INF] BTCD: Block database loaded with block height 0
16:47:23 2015-01-11 [INF] BMGR: Generating initial block node index. This may take a while...
16:47:23 2015-01-11 [INF] BMGR: Block index generation complete
16:47:23 2015-01-11 [INF] SRVR: Server listening on 0.0.0.0:8333
16:47:23 2015-01-11 [INF] SRVR: Server listening on [::]:8333
16:47:23 2015-01-11 [INF] RPCS: RPC server listening on [::1]:8334
16:47:23 2015-01-11 [INF] RPCS: RPC server listening on 127.0.0.1:8334

As you can see, the RPC server is only listening on localhost IPv4 and IPv6.

[davecgh]

I just looked at the sample config file and noticed the comment in there is wrong. Is that what you are referring to? It actually does only listen on localhost by default.

[arnuschky]

Yes, exactly. Sorry, I thought that I observed this on the daemon and tried to verify in the docs. This issue then only concerns https://github.com/conformal/btcd/blob/master/sample-btcd.conf#L160

[davecgh]

The documentation has been updated by pull request #220.