Ownercz
/
ssme-thesis
mirror of https://github.com/Ownercz/ssme-thesis.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Conclusion grammar

This commit is contained in:
Radim Lipovčan 2019-03-03 16:22:24 +01:00
parent 1089027987
commit 26162f610d
1 changed files with 33 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
Thesis.tex
View File

@ -2662,7 +2662,7 @@ When asked about pool preferences, two larger mining pools were often mentioned
\subsubsection{Windows platform}
Out of 60 miners in the dataset, 39 of them use Windows as their choice of OS for mining. Regarding periodic updates, only a small part of miners (10) tend to use Windows with its default update settings (automatic restart of the OS to apply updates, unattended driver updates).
Majority of Windows miners (23) tend to apply updates after some time after their release and are running some kind of antivirus software with remote access enabled. There is also a part of miners in the dataset (11) that tend to \enquote{setup and forget} with Windows update completely disabled. Setup preferences are shown in the Figure \ref{chart:mininghabbits}.
Majority of Windows miners (23) tend to apply updates after some time after their release and are running some kind of antivirus software with remote access enabled. There is also a part of miners in the dataset (11) that tend to \enquote{set up and forget} with Windows update completely disabled. Setup preferences are shown in the Figure \ref{chart:mininghabbits}.
\vspace{-1.3em}
\begin{center}
@ -2713,7 +2713,7 @@ Majority of Windows miners (23) tend to apply updates after some time after thei
\label{chart:windowshabbits}\end{figure}\end{center}
\vspace{-2em}
\subsubsection{Linux platform}
While Linux is used by 33 out of 60 miners, majority of them tend to use Ubuntu (17) or Debian (11). Specialised OS for mining - MineOS is used by six users, least use has community derivate from RHEL, CentOS.
While Linux is used by 33 out of 60 miners, the majority of them tend to use Ubuntu (17) or Debian (11). The specialized OS for mining - MineOS is used by six users, least use has community derivate from RHEL, CentOS.
\vspace{-2em}
@ -2762,9 +2762,9 @@ While Linux is used by 33 out of 60 miners, majority of them tend to use Ubuntu
\caption{Linux mining setup preferences.}
\label{chart:windowshabbits}\end{figure}\end{center}
\vspace{-1em}
Altought information about update frequency was not submitted by all miners, many of them (14) manage updates manually, with only small portion of other miners (6) having the process automated.Remote management is represented mainly by SSH (22) followed by VNC (3) and TeamViewer (3). Automation tools are used only by 13 miners from the dataset.
Although information about update frequency was not submitted by all miners, many of them (14) manage updates manually, with only a small portion of other miners (6) having the process automated. Remote management is represented mainly by SSH (22) followed by VNC (3) and TeamViewer (3). Automation tools are used only by 13 miners from the dataset.
\subsubsection{Demographics}
Survey parcitipants were mainly males (50), females (2) represented only a small portion of the dataset and some of the participants did not disclose their gender (8). Most respondents in the dataset were from the age groups 25-34 (33) followed by 35-44 age group (12) as well as 18-24 (11).
Survey participants were mainly males (50), females (2) represented only a small portion of the dataset and some of the participants did not disclose their gender (8). Most respondents in the dataset were from the age groups 25-34 (33) followed by 35-44 age group (12) as well as 18-24 (11).
\vspace{-1.9em}
\begin{center}
@ -2912,9 +2912,9 @@ Survey parcitipants were mainly males (50), females (2) represented only a small
\label{chart:itindustryuserresearch}\end{figure}\end{center}
\chapter{Designing secure mining environment}
The goal of this chapter is to design and develop secure and reasonably easy way how to setup and run mining operations on any scale. Inspired by both industry standards of large scale it operations as well as running own mining operation, main emphasis is placed on automation aspect of the whole system.
The goal of this chapter is to design and develop secure and reasonably easy way how to set up and run mining operations on any scale. Inspired by both industry standards of large scale IT operations as well as running mining operation, the main emphasis is placed on the automation aspect of the whole system.
\section{Automation}
Automation is a key aspect for designing and running IT operations that are secure, up-to-date, scalable and easy to maintain. To do that, proposed mining node provisioning scheme is divided into two parts, first being OS installation with early configuration and second is automated configuration of provisioned nodes using Ansible. Workflow is described in the Figure \ref{pict:deployment-workflow}.
Automation is a key aspect for designing and running IT operations that are secure, up-to-date, scalable and easy to maintain. To do that, the proposed mining node provisioning scheme is divided into two parts, first being OS installation with early configuration and second is the automated configuration of provisioned nodes using Ansible. Workflow is described in the Figure \ref{pict:deployment-workflow}.
\begin{figure}[H]
\center
\tikzstyle{decision} = [diamond, draw, fill=blue!20,
@ -2978,8 +2978,8 @@ Four changes are needed to get the installation process working:
\begin{itemize}
\itemsep0em
\item \texttt{timeout} property changed from 600 to 50 (seconds * 10)
\item Change boot menu to go straight for the install
\item Edit paths for custom ISO image
\item Change the boot menu to go straight for the install
\item Edit paths for the custom ISO image
\item Add kickstart file entry
\end{itemize}
@ -2999,12 +2999,12 @@ label linux
\end{center}
\end{figure}
\subsection{Kickstart file}
The kickstart file is a single file that contains all OS installation parameters for RHEL based operating systems \cite{van2015red}. This installation method enables automated provisioning of machines without the need of administrator input. When the file is presented to the installer, it reads the required parameters resulting in the unattended installation process \cite{leemans2015red}.
The kickstart file is a single file that contains all OS installation parameters for RHEL based operating systems \cite{van2015red}. This installation method enables automated provisioning of machines without the need for the administrator input. When the file is presented to the installer, it reads the required parameters resulting in the unattended installation process \cite{leemans2015red}.
Created kickstart file for Centos 7 mining installation media is available in the Appendix Figure \ref{fig:kickstart}.
The created kickstart file for Centos 7 mining installation media is available in the Appendix Figure \ref{fig:kickstart}.
\subsection{Generating ISO}
The specific process of packaging extracted CentOS installation media back into the iso file varies by used operating system. In both mentioned scenarios, few specific parameters have to be set:
The specific process of packaging extracted CentOS installation media back into the iso file varies by the used operating system. In both mentioned scenarios, few specific parameters have to be set:
\begin{itemize}
\itemsep0em
\item Boot image file \texttt{/isolinux/isolinux.bin}
@ -3052,7 +3052,7 @@ mkisofs -o centos7.iso -b isolinux.bin -c boot.cat -no-emul-boot -V 'CENTOS' -bo
%Installation to the target mining machine from this media can be done using optical media, USB drive that has the ISO unpackaged (e.g. using Rufus available from \url{rufus.ie}) or PXE boot (e.g. using open source network boot firmware iPXE available from \url{ipxe.org}).
\subsection{Setting up OS using Ansible}
\subsection{Setting up the OS using Ansible}
%Ansible is an IT automation engine that in this case is used for configuration and application management of local mining nodes.
After installation from the ISO that was prepared with the kickstart file, the target machine is accepting SSH connections under root account using password-based authentification. Without proper configuration, this would leave machine open to brute force attempts for the root account.
@ -3085,7 +3085,7 @@ To provision mining nodes with software and configuration, Ansible uses followin
\begin{itemize}
\itemsep0em
\item \texttt{Xmr01.yml} represents a playbook file that defines what group of nodes will be provisioned together with the list of roles that will be applied to them. \\
\texttt{Hosts} file contains groups of hosts with information how Ansible can connect to them.
\texttt{Hosts} file contains groups of hosts with information on how Ansible can connect to them.
\item \texttt{Ansible.cfg} was used only in the testing environment where host key checking was disabled.
\item \texttt{Roles} folder contains roles that are applied when running the playbook.
\end{itemize}
@ -3097,10 +3097,10 @@ The common baseline for all mining nodes that consists of the following tasks:
\begin{enumerate}
\itemsep0em
\item Ensure EPEL repo is configured or install it.
\item Install following packages: \texttt{htop, rsync, screen, tmux, iftop, iotop, nano, git, wget, unzip, mc}.
\item Install the following packages: \texttt{htop, rsync, screen, tmux, iftop, iotop, nano, git, wget, unzip, mc}.
\end{enumerate}
\subsubsection{ansible-sw-firewalld}
Installs and enables firewalld service that has default policy for connections set to \texttt{public network} and accepts incoming connections only for SSH service.
Installs and enables the firewalld service that has default policy for connections set to the \texttt{public network} and accepts incoming connections only for SSH service.
\subsubsection{ansible-sw-ntp}
To report correct information through the web interface of the mining software, the target machine has to be in sync with NTP servers to do that role establishes the following:
\begin{enumerate}
@ -3117,7 +3117,7 @@ Using Gmail account is preferred as this solution is an Internet Service Provide
Separate Gmail account for sending out email alerts is recommended as Postfix has login credentials saved in \texttt{/etc/postfix/sasl\TextUnderscore{}passwd} file in plaintext \cite{van2015red}. This can be made more secure if the credentials file has appropriate permissions, e.g., ownership set to root, the group to wheel and chmod changed to 0600.
\subsubsection{ansible-sw-sshsec}
Takes care about incoming SSH connections in case somebody wants to try brute force attack on the mining machine. After a predefined amount of failed login attempts, incoming IP address is put into "jail".
Takes care about incoming SSH connections in case somebody wants to try brute force attack on the mining machine. After a predefined amount of failed login attempts, the incoming IP address is put into "jail".
Under the hood, fail2ban monitors sshd log for incoming failed attempts and after certain threshold creates a firewalld rule to block the IP for a predefined amount of time. The default setting for this rule is relatively strict, 3 failed attempts in 10-hour window result in a 10-hour ban for incoming connections from the IP address.
@ -3127,15 +3127,15 @@ This role is a fork of \texttt{ansible-role-fail2ban} that is available at \url{
\subsubsection{ansible-sw-xmrstak}
Installs software collections \texttt{centos-release-scl} package for Centos together with \texttt{cmake3, devtoolset-4-gcc*, hwloc-devel, make, \newline libmicrohttpd-devel, openssl-devel} packages used for compiling XMR-Stak from source code.
After that, folder structure inside non-privileged user account is created, and XMR-Stak repo is cloned into the user directory. With appropriate permissions set, cmake compiles the source code with following flags \texttt{cmake3 .. -DCPU\TextUnderscore{}ENABLE=ON -DCUDA\TextUnderscore{}ENABLE=OFF -DOpen\newline CL\TextUnderscore{}ENABLE=OFF} resulting in CPU only miner for Centos \cite{xmrstakcompile}.
After that, the folder structure inside the non-privileged user account is created, and XMR-Stak repo is cloned into the user directory. With appropriate permissions set, cmake compiles the source code with following flags \texttt{cmake3 .. -DCPU\TextUnderscore{}ENABLE=ON -DCUDA\TextUnderscore{}ENABLE=OFF -DOpen\newline CL\TextUnderscore{}ENABLE=OFF} resulting in CPU only miner for Centos \cite{xmrstakcompile}.
If the mining node would use GPU, appropriate drivers from AMD or Nvidia website are a prior requirement for running the miner. As GPU feature is only a flag, it can be enabled on demand in the playbook file as cmake3 flags are set as variables in the tasks file of the \texttt{ansible-sw-xmrstak} role in the Jinja2 format: \\ \texttt{cmake3 .. -DCPU\TextUnderscore{}ENABLE=\{\{ DCPU\TextUnderscore{}ENABLE \}\} -DCUDA\TextUnderscore{}ENABLE=\{\{ \newline DCUDA\TextUnderscore{}ENABLE \}\} -DOpenCL\TextUnderscore{}ENABLE=\{\{ DOpenCL\TextUnderscore{}ENABLE \}\}}
As next step, role copies over to the node cpu, pool and miner configuration and creates a crontab entry for automatic miner start. For the final touch, HugePages are set to \texttt{vm.nr\TextUnderscore{}hugepages=128} in \texttt{/etc/sysctl.conf} for CPU mining memory allocation, and sysctl is reloaded.
As next step, role copies over to the node CPU, pool and miner configuration and creates a crontab entry for automatic miner start. For the final touch, HugePages are set to \texttt{vm.nr\TextUnderscore{}hugepages=128} in \texttt{/etc/sysctl.conf} for CPU mining memory allocation, and sysctl is reloaded.
\subsubsection{ansible-sys-hostname}
Changes system hostname to inventory hostname set in \texttt{hosts} file using \texttt{hostnamectl} Ansible module.
\subsubsection{ansible-user-add}
\texttt{User-add-role} is used for creating the mining user that is not within wheel group (unpriviledged user).
\texttt{User-add-role} is used for creating the mining user that is not within the wheel group (unprivileged user).
\subsubsection{ansible-yum-cron}
Installs and configures automatic security updates for Centos that are daily checked against the online repository. If packages marked for security update are found, email notification to root is sent \cite{pelz2016centos}.
\subsubsection{ansible-yum-update}
@ -3159,7 +3159,7 @@ There are many ways how to provision changes to original Windows media, most str
This process of Windows image customization can be done using Windows Assessment and Deployment Kit (Windows ADK) as it includes Windows System Image Manager (Windows SIM) that is an authoring tool for \texttt{autounattend.xml} files. Using Windows ADK, more complex Windows deployment can be achieved as the administrator can bundle applications and drivers in the image \cite{rhodes2016introduction}.
For this guide, generating \texttt{autounattend.xml} file is based on online autounattend generator tool located at \url{windowsafg.com}. After generating the file, a block of commands that is executed after the first logon, was added.
For this guide, generating \texttt{autounattend.xml} file is based on online autounattend generator tool located at \url{windowsafg.com}. After generating the file, a block of commands that is executed after the first logon was added.
\begin{figure}[H]
\begin{center}
\begin{lstlisting}
@ -3183,9 +3183,9 @@ Note that installer opens RDP, WinRM, temporarily disables Windows Firewall (whi
\subsection{Ansible at Windows}
Before applying roles in Ansible for Windows, unlike in Ansible with Linux machines, environment for both Windows and Linux controller has to be prepared \cite{windowsansible}.
\textbf{Windows} needs to have WinRM setup, this is already done as it was part of the installation process where Ansible Powershell script set up HTTPS WinRM environment \cite{windowshostansible}.
\textbf{Windows} needs to have WinRM setup. This is already done as it was part of the installation process where Ansible Powershell script set up HTTPS WinRM environment \cite{windowshostansible}.
\textbf{Linux} doesn't have Ansible modules for Windows in default Ansible install. Those can be install using the package manager, e.g.:
\textbf{Linux} doesn't have Ansible modules for Windows in default Ansible install. Those can be installed using the package manager, e.g.:
\vspace{-0.7em}
\begin{itemize}
\itemsep0em
@ -3208,7 +3208,7 @@ Before applying roles in Ansible for Windows, unlike in Ansible with Linux machi
\end{itemize}
\subsection{Ansible roles}
Once Ansible is ready to launch \texttt{xmratwin.yml} playbook, following roles are played:
Once Ansible is ready to launch \texttt{xmratwin.yml} playbook, the following roles are played:
\begin{figure}[H]
%\begin{subfigure}{.5\textwidth}
\dirtree{%
@ -3232,26 +3232,26 @@ Windows update policy is set to download and notify for install as Windows updat
The administrator can configure which updates category will be included in the updates, in default role install updates from \texttt{SecurityUpdates} and \texttt{CriticalUpdates} category \cite{windowshostansible}. This can be changed using variable \texttt{UpdateEverything} in the playbook.
\subsubsection{ansible-win-xmrstak}
Downloads latest release of XMR-Stak from developers GitHub page, configures mining software and downloads required libraries from Microsoft site. It also creates scheduled task under mining user to run with elevated permissions after logon so that UAC can be kept enabled and the miner is running without UAC prompts.
Downloads latest release of XMR-Stak from developers GitHub page, configures mining software and downloads required libraries from Microsoft site. It also creates scheduled task under the mining user to run with elevated permissions after login so that UAC can be kept enabled and the miner is running without UAC prompts.
Also adds the exception in Windows Defender to ignore Desktop folder as a binary XMR-Stak file is considered as a malicious file for being a mining software.
\chapter{Conclusion}
There is a thin line between reasonable security and unnescesarry security measures that render the whole work useless. More often than not, systems, applications and whole environments are designed with security in mind, but without the idea how to do it in a usable way, resulting in user created workarounds that cause security issues.
There is a thin line between reasonable security and unnecessary security measures that render the whole work useless. More often than not, systems, applications, and whole environments are designed with security in mind, but without the idea how to do it in a usable way, resulting in user-created workarounds that cause security issues.
In Monero cryptocurrency, there are no strict guidelines or rules on how to access the funds or run the mining operation. As can be seen on the results from both of the surveys, users tend to only "do the needfull" when it comes to using the cryptocurrency.
In Monero cryptocurrency, there are no strict guidelines or rules on how to access the funds or run the mining operation. As can be seen on the results from both of the surveys, users tend to only "do the needful" when it comes to using the cryptocurrency.
%Monero cryptocurrency is an active open source technology project that aims to provide private cryptocurrency for everyone. As there is no central authority it is always up to the community to recommend or guide others
In terms of security in mining operations as well as normal users key management there is a room for improvement. Using the combination of knowledge from Monero documentation, Monero community articles and posts as well as results from both of the surveys and own technological background, this work presents a detailed view on the technical side of the cryptocurrency.
In terms of security in mining operations as well as normal users key management there is a room for improvement. Using the combination of knowledge from Monero documentation, Monero community articles, and posts as well as results from both of the surveys and own technological background, this work presents a detailed view on the technical side of the cryptocurrency.
User side of Monero is represented by description of the cryptocurrency as well as detailed guidelines on howto start with the cryptocurrency in form of best practices. This includes choosing the client software, deciding on the type the wallet, generating and storing the keys up to pointing out the problems and incidents that can happen to every user.
User side of Monero is represented by the description of the cryptocurrency as well as detailed guidelines on how to start with the cryptocurrency in form of best practices. This includes choosing the client software, deciding on the type the wallet, generating and storing the keys up to pointing out the problems and incidents that can happen to every user.
This work can further be extended by covering the pool operators perspective, their system management and security standards. At the time of writing, there was not enough data to dig into this section as none out of more than 20 pools filled out the survey.
This work can further be extended by covering the pool operators perspective, system management, and security standards. At the time of writing, there was not enough data to dig into this section as none out of more than 20 pools filled out the survey.
From miners the thesis offers the guide on how to automate deployment and configuration of mining operations. This is important as only a small fraction from both Windows and Linux miners use automation tools to deploy and manage mining rigs which can result in unwanted differencies in configuration or inconsitencies across mining environment.
From miners perspective, the thesis offers the guide on how to automate deployment and configuration of mining operations. This is important as only a small fraction from both Windows and Linux miners use automation tools to deploy and manage mining rigs which can result in unwanted differences in configuration or inconsistencies across mining environment.
To make results from this thesis more open to the public, everything is published under Github repository and GitHub pages website.
To make results from this thesis more open to the public, everything is published under the GitHub repository and GitHub pages website.
\noindent
GitHub repository: \url{https://github.com/Ownercz/ssme-thesis}\\
GitHub pages: \url{https://ownercz.github.io/ssme-thesis}
@ -3268,7 +3268,7 @@ GitHub pages: \url{https://ownercz.github.io/ssme-thesis}
Electronic attachments are included in the thesis archive of the Masaryk University Information System.
\\
\\
Thesis source code together with electronic attachements is avaiable at \url{https://github.com/Ownercz/ssme-thesis}.
Thesis source code together with electronic attachments is available at \url{https://github.com/Ownercz/ssme-thesis}.
\\
\\
Chapters of this work are also published online at \url{https://ownercz.github.io/ssme-thesis/}.
@ -3281,7 +3281,7 @@ Following files are included in the attachment archive:
\item \texttt{Cleansed} directory containing data used for Monero Users and Monero Miners survey.
\item \texttt{Kickstart} directory containing the kickstart file for Centos 7 used in unattended Centos installation.
\item \texttt{Original} directory containing unfiltered data from Monero Users and Monero Miners survey.
\item \texttt{Sql-queries} directory containing sql files that were used for data processing for both surveys.
\item \texttt{SQL-queries} directory containing SQL files that were used for data processing for both surveys.
\item \texttt{Unattended} directory containing the autounattend file for Windows 10 used in unattended Windows 10 installation.
\end{itemize}