● Over 1,100 listening nodes have open RPC ports: It was recently mentioned in the #bitcoin-core-dev IRC chatroom that many Bitcoin nodes on the network had their RPC port open. Optech investigated and found that about 1,100 of the 8,400 listening nodes with an IPv4 address did indeed have port 8332 open (13.2%).

This may indicate that many node operators are unaware that RPC communication over the Internet is completely insecure by default and exposes your node to multiple attacks that could cost you money even if you’ve disabled the wallet on your node. RPC communication is not encrypted, so any eavesdropper observing even a single request to your server can steal your authentication credentials and use them to run commands that empty your wallet (if you have one), trick your node into using a fork of the block chain with almost no proof-of-work security, overwrite arbitrary files on your filesystem, or do other damage. Even if you never connect to your node over the Internet, having an open RPC port carries a risk that an attacker will guess your login credentials.

By default, nodes do not accept connections to RPC from any other computer—you have to enable a configuration option to allow RPC connections. To determine whether you’ve enabled this feature, check your Bitcoin configuration file and startup parameters for the rpcallowip parameter. If this option is present, you should remove it and restart your node unless you have a good reason to believe all RPC connections to your node are encrypted or are exclusive to a trusted private network. If you want to test your node remotely for an open RPC port, you can run the following nmap command after replacing ADDRESS with the IP address of your node:

nmap -Pn -p 8332 ADDRESS

If the result in the state field is “open”, you should follow the instructions above to remove the rpcallowip parameter. If the result is either “closed” or “filtered”, your node is safe unless you’ve set a custom RPC port or otherwise have enabled a customized configuration.

A PR has been opened to Bitcoin Core to make it harder for users to configure their node this way and to print additional warnings about enabling such behavior.