Wallet as daemon, what's the security-concern about "rpcallowip"?

0

When running (btc-/ltc-/whatever) wallet as daemon, I have to set "rpcuser" and "rpcpassword".

There is the option "rpcallowip", it is recommended to have this value very strict, e.g. "127.0.0.1".

I cannot see any danger setting this value to "..*.*" - if anyone guesses my server and credentials, he/she is welcome to mine for my wallet.

So, is there any danger opening rpcallowip?

Markus Schulte

Posted 2014-01-29T10:39:06.203

Reputation: 111

I'm not sure if the * is allowed, but as a general rule it would seem thatthe danger is in the scope of the RPC and what it can do.T9b 2014-01-29T13:02:38.343

>

  • (Wildcard) is allowed, I tested suggested setup. Common usecase for wildcard ist 192.168.0., but ...* works, too.
    • < – Markus Schulte 2014-01-29T14:14:45.507

    Answers

    3

    if anyone guesses my server and credentials, he/she is welcome to mine for my wallet.

    He/she can also call all other RPC commands. For example, sendtoaddress. So, if your wallet is unlocked you can loose your coins.

    qehgt

    Posted 2014-01-29T10:39:06.203

    Reputation: 161

    Of course, that is right.Markus Schulte 2014-01-30T08:57:03.763

    Asked: 2014-01-29T10:39:06.203

    Viewed: 474 times

    Active: 2014-01-29T18:25:27.087