How to protect bitcoin wallet on the server?

Had the task to raise the bitcoin node and to write a binding for JSON-RPC to accept payments on the website (I know that you can use ready-made services, but the decision was made to implement itself). The question arose with the security of this site to not allow the attacker to access private keys of the wallet. Hence the question: what is the best way to do this? is it enough to configure iptables, authentication keys on the server, etc. or any other way to hide private keys? would love any recommendations and advice
April 4th 20 at 13:09
2 answers
April 4th 20 at 13:11
With one of our partners we had such a task: it was necessary to make the storage of Fiat and crypts. When the objective is something to protect, it is important to formulate a threat model: what kind of actions and penetrations should be protected and on this basis to design the architecture.

For example, in the case of response @cyrus.Shanahan63, threat model can be briefly formulated in the following way:
1. The attacker got access to the dev API.
2. The attacker got access to the dev with bitcoind and keys to all the keys.

Then I think how to reduce the negative effect in each case.

1 case. The attacker can now sign the requests independently. The solution may be, for example, multisig, where the key is stored from the user, as part of the server. Thus, the attacker will not be able these requests to sign. But it is important to understand in what jurisdiction is the product, since there are legal nuances. We are faced with them. Another solution may be able to enforce the disconnection of a path with bitcoind in some simple way: the downtime better than lost money.

2 the case. There is nothing you can do about it. However, there are products like https://www.thalesgroup.com/en, which provide a piece of metal, which securely stores the keys and which is considered uncrackable. In this case, the keys available as long as the physical (or virtual) card inserted into a card reader. Thus, if a system has been compromised, then it will be enough to pull the card. There are other products that are more budget.

In addition to protecting the keys, you can add protection with two-factor authentication and a third party, which may also be signed by transkey.

From the point of view of architecture, something like that, good luck in the sale )

Sincerely,
Ivan Tomilov
CEO of Lenore36
@llewellyn if the answer helped you, please mark it a solution ) if not, we will be happy to add the answer if you have any questions. - Lenore36 commented on April 4th 20 at 13:14
April 4th 20 at 13:13
Ideas on maximum limits for security with storing the key only in secure memory.
If small, then do make a separate server for signing requests/transactions. Turns out, even if the primary server lomanut, then get one just API with a single signing request. Part of the money will derive from them, but the keys will remain untouched

Find more questions by tags LinuxInformation securityBitcoin