bitcoin.conf settings for total Tor isolation
Network Fortification: Tor, I2P, and Firewall Hardening
A Bitcoin node is a beacon in the digital world. By default, it broadcasts your IP address to every other node it connects to. In a world of increasing surveillance and sophisticated cyber-attacks, "Network Fortification" is no longer optional. This chapter explores how to hide your node's physical location using Tor and I2P, and how to harden your Linux firewall against Denial-of-Service (DoS) attempts.
The Privacy Shield: Tor (The Onion Router)
Tor is the industry standard for node privacy. When running over Tor, your node does not connect directly to other IPs. Instead, it builds a "Circuit" through three volunteer servers, encrypting the data at every layer.
-
Hidden Services (.onion): Your node becomes a "Hidden Service." Other nodes can find you via a long string of random characters ending in
.onion. They never know your city, your ISP, or your home address. -
Bridges and Obfuscation: If your ISP tries to block Tor, you can use "Bridges" (like obfs4) to disguise your Tor traffic as normal web browsing.
# bitcoin.conf settings for total Tor isolation
proxy=127.0.0.1:9050
listenonion=1
onlynet=onion # This tells bitcoind to ONLY connect to other Tor nodes.
The New Frontier: I2P (Invisible Internet Project)
While Tor is great, it has "Exit Nodes" that can be centralized. I2P is a fully decentralized, "Garlic-Routed" network designed for internal communication. Bitcoin Core 22.0 introduced native I2P support.
-
I2P SAM: Bitcoin talks to the I2P network using the "SAM" (Simple Anonymous Messaging) protocol.
-
Advantage: I2P is often faster for node-to-node communication than Tor because it was designed specifically for "Hidden Services."
Firewall Hardening with iptables and ufw
Your node is connected to the internet 24/7. It will be "Scanned" by hackers thousands of times per day. You must use a firewall to close every door except the one Bitcoin needs.
-
Port 8333 (P2P): Open this only if you want to help others sync.
-
Port 8332 (RPC): CRITICAL SECURITY RISK. This port should never, ever be open to the public internet. It should be restricted to
127.0.0.1(localhost).
# Hardening a Bitcoin server with UFW (Uncomplicated Firewall)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp # For SSH access
sudo ufw allow 8333/tcp # For Bitcoin P2P
sudo ufw enable
Mitigating the "Eclipse Attack"
An Eclipse Attack is a sophisticated network attack where a hacker controls all 8 of your node's outgoing connections. They can then feed you a "Fake" blockchain where you have received money that doesn't exist.
-
Prevention: Netgroups: Bitcoin Core uses "Netgroup" logic. It tries to ensure that your 8 connections are spread across different parts of the internet (different ISPs and countries).
-
Prevention: ASMAP: Advanced users can use an "ASMAP" file, which tells Bitcoin exactly which "Autonomous Systems" (ISPs) own which IPs, allowing the node to make even more diverse and secure connection choices.
By fortifying your network, you transform your node from a vulnerable target into a "Digital Ghost"—invisible to adversaries but fully functional and secure within the global network.
TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation: