How to set up ec2 t1.micro Ubuntu for Masternode part 2/3

mattmct

Member
Mar 13, 2014
259
92
88
Thanks for all your help @chaeplin !!
I think it's up and running now!
Balance is 1000DRK
Master node count is 14

But I don't see my nodes IP on the list. Maybe it takes a while?
 

mattmct

Member
Mar 13, 2014
259
92
88
Boom! There is goes! I'm on the list!

Thanks so much chaeplin!! Excellent guide and thanks for all the help along the way!
 

chaeplin

Active Member
Core Developer
Mar 29, 2014
749
356
133
Why is port 9998 rejected but every other port opened?
Pubclic internet open ports are handled by EC2 SecurityGroups.
(ssh to specific address, 9999 to anywhere, and deny all input)

I don't know how ec2 handle internal traffic, so deny all 9998 from outside(rpc port).
 

dime

New Member
Mar 23, 2014
19
2
3
Pubclic internet open ports are handled by EC2 SecurityGroups.
(ssh to specific address, 9999 to anywhere, and deny all input)

I don't know how ec2 handle internal traffic, so deny all 9998 from outside(rpc port).
I don't understand what you just said. Are you saying you didn't write these iptables rules?

These are your inputs:
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 8 --connlimit-mask 24 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 9999 -j ACCEPT
These look okay. They accept on port 9999 but reject more 2 connections from the same ip and more than 8 connections from the same class c network on port 9999. Your tcp flags are a bit funny. I don't think they'd be needed, but whatever.

-A INPUT -i eth0 -p tcp -m tcp --dport 9998 -j REJECT --reject-with tcp-reset
What is this line? Why is there a line for port 9998?

-A INPUT -i eth0 -p tcp -j ACCEPT
Why this line? Why are you accepting all other traffic?



Similarly, with the outbound traffic
-A OUTPUT -o eth0 -p tcp -m tcp --sport 9999 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 9999 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 9999 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
Lines 1-3 are redundant when the last line already accepts all outbound traffic.
 

chaeplin

Active Member
Core Developer
Mar 29, 2014
749
356
133
I don't understand what you just said. Are you saying you didn't write these iptables rules?
~
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 8 --connlimit-mask 24 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 9999 -j ACCEPT

These look okay. They accept on port 9999 but reject more 2 connections from the same ip and more than 8 connections from the same class c network on port 9999. Your tcp flags are a bit funny. I don't think they'd be needed, but whatever.
--tcp-flags FIN,SYN,RST,ACK SYN is equal to --syn.
--syn coneverted to "-tcp-flags FIN,SYN,RST,ACK SYN" by iptables.

Code:
       [!] --tcp-flagsmask comp
              Match when the TCP flags are as specified.  The first argument mask is the flags which we should examine, written as a comma-separated list, and the second argument comp  is  a  comma-
              separated list of flags which must be set.  Flags are: SYN ACK FIN RST URG PSH ALL NONE.  Hence the command
              iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
              will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.

       [!] --syn
              Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits cleared.  Such packets are used to request TCP connection initiation; for example, blocking such packets coming
              in an interface will prevent incoming TCP connections, but outgoing TCP connections will be unaffected.  It is equivalent to --tcp-flags SYN,RST,ACK,FIN SYN.  If the "!" flag  precedes
              the "--syn", the sense of the option is inverted.
-A INPUT -i eth0 -p tcp -m tcp --dport 9998 -j REJECT --reject-with tcp-reset
What is this line? Why is there a line for port 9998?
Reject any connection to 9998. 9998 is darkcoind rpcport.
If there is miss configuration in darkcoin.conf, it will be needed.
Security Group will deny it, but I want to make sure.


-A INPUT -i eth0 -p tcp -j ACCEPT
Why this line? Why are you accepting all other traffic?
To check input traffic.


Similarly, with the outbound traffic
-A OUTPUT -o eth0 -p tcp -m tcp --sport 9999 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 9999 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 9999 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
Lines 1-3 are redundant when the last line already accepts all outbound traffic.
check outbound 9999 syn, estableshed outbound, other traffic.



I don't understand what you just said. Are you saying you didn't write these iptables rules?
I wrote iptables rule.

You asked me "Why is port 9998 rejected but every other port opened?"

Read https://www.darkcointalk.org/threads/how-to-set-up-ec2-t1-micro-ubuntu-for-masternode-part-1-3.240/
 

dime

New Member
Mar 23, 2014
19
2
3
Ahhh, I see.. 9998 is the rpc port.

Those lines are also redundant then, as the security group should block it.

You should specify in your guide that your iptables rules are only for people using this in amazon instances with a port filter. From reading just the iptables rules and without coupling a port filter provided by amazon, they don't make sense and are insecure.

If someone else were to create a vm on some other provider, and only used the steps in the second half, they would have all ports opened by those rules.
 

zuperdoge

New Member
Apr 1, 2014
12
2
3
chaeplin, everything looks to be working fine, but I noticed a message the occurs in the debug.log often and was curious if this is normal:

Code:
2014-04-15 00:51:30 ProcessMessage(dsee, 67 bytes) FAILED
UPDATE:
This appears to happen after an IP is deemed invalid. So it does look like things are worked as intended. :)

Code:
2014-04-15 01:49:20 accepted connection 199.188.203.26:54677
2014-04-15 01:49:20 partner 199.188.203.26:54677 using obsolete version 60011; disconnecting
2014-04-15 01:49:20 ProcessMessage(version, 106 bytes) FAILED
2014-04-15 01:49:20 disconnecting node 199.188.203.26:54677
 
Last edited by a moderator:

TanteStefana

Grizzled Member
Foundation Member
Mar 9, 2014
2,861
1,854
1,283
Ugh, I've been trying to redo my MN by using this tutorial, and I thought my problem was due to the disabling of logging in as root, but actually, it's because of the iptables. I can no longer ssh into my instance when I reboot after step 7. Does it mess with my ssh security group (ssh, port 22, my ip only)?

Is anyone else having trouble? Because I'm following these instructions to the T The only warning I got in the above steps was when I did:
update-rc.d ntp defaults
and it said system start/stop links already existed.

Why can't I log back in after reboot? (refused)
 
Last edited by a moderator:

chaeplin

Active Member
Core Developer
Mar 29, 2014
749
356
133
Ugh, I've been trying to redo my MN by using this tutorial, and I thought my problem was due to the disabling of logging in as root, but actually, it's because of the iptables. I can no longer ssh into my instance when I reboot after step 7. Does it mess with my ssh security group (ssh, port 22, my ip only)?

Is anyone else having trouble? Because I'm following these instructions to the T The only warning I got in the above steps was when I did:
update-rc.d ntp defaults
and it said system start/stop links already existed.

Why can't I log back in after reboot? (refused)
'update-rc.d ntp defaults' is ntp related not to sshd.

Did instance say "ssh login to root refused" or "connection refused" ?

Use ubuntu as login user.
If you need root privilege, use 'sudo command' or 'sudo su -'

I will revise the guide to seperate 'login user' and 'Masternode user'
 

TanteStefana

Grizzled Member
Foundation Member
Mar 9, 2014
2,861
1,854
1,283
Yes, it said connection refused, and yah, I know about ssh, just wanted to be thorough that everything went like clockwork.

Did this several times, terminating the instance to start up anew. BTW, another thing that never happened before with my ec2, I cant get updates unless I open all ports. I figure, I'd open all ports to allow for updates, but close them when I'm ready to put my program in.

But yes, until I reboot, everything is going swimmingly. I can log in as Ubuntu with putty and winSCP no problems, but when I reboot, I can't.
 

chaeplin

Active Member
Core Developer
Mar 29, 2014
749
356
133
* I have checked ntp and following added.
Code:
update-rc.d ntp enable

For ssh problem.
1) can you check if public address of instance changed ?

2) comment iptables /etc/rc.local
Code:
#/sbin/iptables-restore < /etc/sysconfig/iptables
3) check /etc/iptables
*filter
:INPUT ACCEPT [1038:145425]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [434:87191]
-A INPUT -i eth0 -p tcp -m tcp --dport 9998 -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 8 --connlimit-mask 24 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 9999 -j ACCEPT
-A INPUT -i eth0 -p tcp -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 9999 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 9999 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 9999 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
COMMIT
4) check instance setup option
https://www.darkcointalk.org/threads/how-to-set-up-ec2-t1-micro-ubuntu-for-masternode-part-1-3.240/
http://i.imgur.com/ltTVWw0.png
 
Last edited by a moderator:

TanteStefana

Grizzled Member
Foundation Member
Mar 9, 2014
2,861
1,854
1,283
I had an idea, after doing apt-get update and apt-get distro upgrade, I rebooted and couldn't log back on. So this is a problem with the Ubuntu upgrade (I think) rather than anything here... I read that it was unstable, and should be reviewed carefully for changes that it wants to do before hitting Y as it will remove some packages and install others, which might not be what you'd want.

I didn't bother, I just hit Y lol.
 
Last edited by a moderator:

TanteStefana

Grizzled Member
Foundation Member
Mar 9, 2014
2,861
1,854
1,283
Well, I got "successfully started masternode" but I don't see my ip on the list? I'm wondering how long that should take?

Could it be I'm not able to broadcast? Is there a quick way to see if my MN is broadcasting it's ip address and status, or if somehow the settings are blocking it?

Ugh, would you believe I put the wrong ip address in the config file? :oops:
 
Last edited by a moderator:

TanteStefana

Grizzled Member
Foundation Member
Mar 9, 2014
2,861
1,854
1,283
Yah, but it's been working well since last night :) Thanks again, chaeplin!

Next question: Could you teach us how to check our logs and what a ddos attack might look like?
 
  • Like
Reactions: fernando

yidakee

Well-known Member
Foundation Member
Apr 16, 2014
1,812
1,168
283
Stuck on # 11
can't seem to run darkcoind

Code:
[email protected]:~$ darkcoind
terminate called after throwing an instance of 'std::runtime_error'
  what():  locale::facet::_S_create_c_locale name not valid
Aborted (core dumped)
[email protected]:~$
 
Last edited by a moderator:

chaeplin

Active Member
Core Developer
Mar 29, 2014
749
356
133
Stuck on # 11
can't seem to run darkcoind

Code:
[email protected]:~$ darkcoind
terminate called after throwing an instance of 'std::runtime_error'
  what():  locale::facet::_S_create_c_locale name not valid
Aborted (core dumped)
[email protected]:~$
check this
https://www.foresightlinux.se/what-localefacet_s_create_c_locale-name-not-valid/
http://stackoverflow.com/questions/...-localefacet-s-create-c-locale-name-not-valid

Code:
:~$ export 
declare -x HOME="/home/ubuntu"
declare -x LANG="en_US.UTF-8"
declare -x LESSCLOSE="/usr/bin/lesspipe %s %s"
declare -x LESSOPEN="| /usr/bin/lesspipe %s"
declare -x LOGNAME="ubuntu"
declare -x LS_COLORS="rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:"
declare -x MAIL="/var/mail/ubuntu"
declare -x OLDPWD
declare -x PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
declare -x PWD="/home/ubuntu"
declare -x SHELL="/bin/bash"
declare -x SHLVL="1"
declare -x TERM="xterm-256color"
declare -x USER="ubuntu"


:~$ locale
LANG=en_US.UTF-8
LANGUAGE=
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=
 

yidakee

Well-known Member
Foundation Member
Apr 16, 2014
1,812
1,168
283
I had googled that, but want sure. Maybe because I chose Ireland as region? let me see...

EDIT: success! But when doing

Code:
tail -f ~/.darkcoin/debug.log
I get this;



Any ideas?
 
Last edited by a moderator:

yidakee

Well-known Member
Foundation Member
Apr 16, 2014
1,812
1,168
283
chaeplin, I edited my previous post before you posted. Please look at the image I posted with the debug.log
 

chaeplin

Active Member
Core Developer
Mar 29, 2014
749
356
133
chaeplin, I edited my previous post before you posted. Please look at the image I posted with the debug.log
Hmm, should not do so often(try connet to one ip address).
The ip address(192.99..) is seeder ip, so don't be a problem.
Check darkcoin.conf, whether externalipis changed.

My suggestion is 1) stop darkcoind, 2) remove peers.dat, 3) run again.
 

yidakee

Well-known Member
Foundation Member
Apr 16, 2014
1,812
1,168
283
while I was waiting for help, I ran the command again and it works. Getting accepted messages. Guess I needed to let it connect before launching next command.

anyway, tried - darcoind getblockcount and its up to to height.

Since we're on test net RC2, I don't need to actually send real DRK's, right? And I can't seem to figure out how to do all this through terminal, all too used to GUI

Code:
12. using home pc, make 1000 DRK encryped wallet.dat to upload
* use home pc, not ec2
* install new wallet
* check account address 0 / getaccountaddress 0
* https://www.darkcointalk.org/thread...ternode-requirements-masternode-payments.225/
* send 1000 DRK to that address
* encypt wallet
* backup wallet
* using scp upload encypted backup wallet.dat to ec2 ubuntu home directory
And also, trying to rm peers.dat

Code:
[email protected]:/usr/local/src/darkcoin$ rm peers.dat
rm: cannot remove 'peers.dat': No such file or directory
[email protected]:/usr/local/src/darkcoin$ ls
COPYING  INSTALL  README.md  bitcoin-qt.pro  contrib  doc  share  src
[email protected]:/usr/local/src/darkcoin$
 
Last edited by a moderator:

chaeplin

Active Member
Core Developer
Mar 29, 2014
749
356
133
while I was waiting for help, I ran the command again and it works. Getting accepted messages. Guess I needed to let it connect before launching next command.

anyway, tried - darcoing getblockcount and its up to to height.

But, when running mining ufo, I get this - shouldn't testnet=true?

I also tried * check account address 0 / getaccountaddress 0
darkcoind gettaccountaddress 0
and it generated an address starting with "X" not with "m" like I see in the RC2 test net thread.

dammit, what am I doing wrong?
Darkcoin start with X. Testnet start with m.
With RC1, it's not testnet(As of this guide).
RC2 is in testnet stage for masternode payout test.

Code:
RC1
:~$ .darkcoin/darkcoind getinfo
{
    "version" : 100400,
    "protocolversion" : 70014,
    "walletversion" : 60000,
    "balance" : 1000.00000000,
    "blocks" : 59329,
    "timeoffset" : 0,
    "connections" : 18,
    "proxy" : "",
    "difficulty" : 1424.99959688,
    "testnet" : false,
    "keypoololdest" : 1397159252,
    "keypoolsize" : 101,
    "paytxfee" : 0.00000000,
    "mininput" : 0.00001000,
    "unlocked_until" : 0,
    "errors" : ""
}



RC2(testnet=1)
:~$ .darkcoin/darkcoind-testnet getinfo
{
    "version" : 100500,
    "protocolversion" : 70014,
    "walletversion" : 60000,
    "balance" : 12395.30000000,
    "blocks" : 1354,
    "timeoffset" : 0,
    "connections" : 8,
    "proxy" : "",
    "difficulty" : 0.20442253,
    "testnet" : true,
    "keypoololdest" : 1398603299,
    "keypoolsize" : 97,
    "paytxfee" : 0.00000000,
    "mininput" : 0.00001000,
    "unlocked_until" : 0,
    "errors" : ""
}
 

yidakee

Well-known Member
Foundation Member
Apr 16, 2014
1,812
1,168
283
God dammit... so I decided to reboot, logged in, went to ./darkcoin and opened darkcoin.conf... empty!!

Did it 2x now, and it stays empty!! Dog dammit, took the day off for this and just sitting here...

So basically, since RC2 is out, this tutorial in no longer valid? (except obviously updated to RC2)
 

Propulsion

The buck stops here.
Feb 26, 2014
1,008
467
183
Dash Address
XerHCGryyfZttUc6mnuRY3FNJzU1Jm9u5L
God dammit... so I decided to reboot, logged in, went to ./darkcoin and opened darkcoin.conf... empty!!

Did it 2x now, and it stays empty!! Dog dammit, took the day off for this and just sitting here...

So basically, since RC2 is out, this tutorial in no longer valid? (except obviously updated to RC2)
Make sure you logged in as the same user you set it up as.