Securing Sia wallets, renters, and hosts
How to run a secure Sia wallet and renter:
The default configuration for Sia is secure. As long as your seed and wallet-unlock password are secure, Sia, in its default configuration, is considered secure as well.
In some cases Sia will use a randomly generated API password. The API password is meant for different types of programs (such as Duplicati, siac, and Sia-UI) to interact securely with the Sia daemon. If you’re using Sia-UI this is completely automatic and secure, no additional configuration is required.
Running siad with the --authenticate-api=false flag is less secure, but still a pretty small attack surface since siad, by default, only responds to commands from localhost. This flag tells siad to accept any valid command from localhost, even if they don’t have the API password.
Running siad with the authenticate-api=false and --disable-api-security is considered DANGEROUS. This means that any host who can communicate with siad can start passing it instructions. A malicious user could attempt to brute-force your seed, upload files, download files, and change some settings on your renter or host. If the malicious user still does not know your seed they cannot unlock your wallet, or performs any actions requiring an unlocked wallet such as transferring Siacoin or Siafunds.
Sia needs an unlocked wallet to perform many renting and hosting actions such as renewing contracts and paying collateral. Since an unlocked (a.k.a hot) wallet is more risky than a locked wallet it’s best practice to keep only as much Siacoin as needed in an unlocked wallet. All other Siacoin should go in a wallet that stays locked and only transferred into the hot wallet when needed.
Keep your seed safe! And when in doubt keep Sia running in its default configuration.
How to run a secure Sia host:
Running a Sia host requires additional configuration and therefore is inherently more risky. Most host configurations require you to open 2 ports on your firewall (or port-forward if you’re behind a NAT).
Port 9981 is the gateway port. It’s used to connect with other Sia peers in a peer-to-peer decentralized way.
Port 9982 is the host port. It’s used to accept host related RPC calls such as form contract, scan host, etc.
Warning: Port 9980 is the API port and under most circumstances should NOT be open (or forwarded). This port exists for other applications (such as siac) to communicate with siad on the same localhost. Do not open this port unless you have a specific, valid, reason for doing so.
Since each user’s process for configuring their firewall and/or router is different I won’t go into details here, but feel free to reach out via the Sia Discord if you need help with any particular aspect of securing your host.
As usual, it’s best practice to run your Sia host with traditional security considerations in mind. Remember that Sia can read, write and execute files on your filesystem. Use traditional security measures such as file permissions, limited user accounts, and antivirus software to limit the attack surface Sia has exposed.
How to run a super secure, offline Sia wallet:
1: Sia has an unofficial cold-wallet that can be used to generate a new seed, and wallet addresses. You can send Siacoin and Siafunds to this wallet without ever connecting to the Internet or syncing the blockchain.
2: Sia supports the Ledger Nano S hardware wallet. https://support.sia.tech/article/1tteqxvgh0-sia-ledger
Donations:
- Tbenz9 Siacoin address:
f63f6c5663efd3dcee50eb28ba520661b1cd68c3fe3e09bb16355d0c11523eebef454689d8cf - Sia developers Siacoin address:
e68b2c8e7a1e1c28782f70a62630bb8d1b480b49dbce422eafbb338de17eb00453918618bbd3
