Mining Pool Security Hardening Checklist
Mining pools are exposed infrastructure: public Stratum ports, payout systems, and a reputation-based business. This checklist covers practical controls that reduce the most common risks: wallet loss, payout abuse, DDoS downtime, and silent failures. Use this as a hardening baseline when installing or setting up a pool—covering configuration, DDoS posture, wallet handling, node/RPC protections, and least‑privilege access.
Wallet & payout safety
- Separate funds: keep only an operational balance in a hot wallet; store the rest in warm/cold storage.
- Payout controls: caps/limits, approvals, allowlists where possible, and clear payout scheduling policy.
- Least privilege: separate services/users, restrict who can trigger payouts, and lock down admin endpoints.
- Auditability: log payout actions and admin changes; keep logs tamper-resistant where possible.
Infrastructure hardening
- Patch discipline: keep OS and critical services updated; document upgrade steps and rollback.
- Firewall by default: expose only required ports; restrict admin panels/VPN where possible.
- Secrets management: avoid plain-text secrets in public repos; rotate credentials on handover.
- Service separation: split Stratum from DB/payout where feasible; reduce blast radius.
Stratum edge protections
- Rate limiting: protect login/registration endpoints and Stratum connection bursts.
- Abuse controls: ban rules for malformed traffic, connection floods, and obvious bot patterns.
- DDoS strategy: provider-level mitigation, anycast/edge options, and documented failover procedures.
- Multi-region: optional gateways to reduce latency and provide failover.
Monitoring & alerts
- Stratum health (online/offline), connection counts, share rates, and rejects/stales.
- Daemon health and block template availability.
- Database health (disk, lag, slow queries), and queue sizes.
- Payout queue failures and abnormal payout volume.
- Security signals: unusual admin logins, config changes, repeated auth failures.
Most incidents are detected late because nobody is watching the right metrics. If you want ongoing help with alerts, upgrades, and incident response, see managed pool operations & monitoring. If you’re planning multi-region Stratum, start with a DDoS-ready architecture blueprint.
Backups & restore testing
- Automate backups: DB + config + key material (where appropriate and safe) on a schedule.
- Encrypt backups and store copies off-server.
- Test restores: a backup you can’t restore is not a backup. Periodically run a restore drill.
Incident response basics
- Contain: isolate affected services, rotate secrets, and pause payouts if necessary.
- Eradicate: remove malicious access, patch the root cause, and validate clean state.
- Recover: restore services and validate payout integrity before resuming normal operations.
- Postmortem: document what happened and which controls you’ll add to prevent recurrence.
We can harden an existing pool or include security hardening in a new build. Contact us.
FAQ
Do you recommend keeping all funds in a hot wallet?
No. A safer approach is separating hot funds (limited operational balance) from warm/cold storage, with withdrawal controls and monitoring. The right setup depends on your payout frequency and operational model.
Is DDoS protection required for public pools?
In practice, yes. Public pools are frequent targets. Even a basic plan should include edge filtering, rate limiting, and a mitigation strategy with your hosting/provider.
What are the most important alerts to set up?
Stratum connectivity, share rate anomalies, daemon health, database lag/disk usage, payout queue failures, and unexpected admin logins or config changes.
Can you implement these controls for my pool?
Yes. We can harden an existing deployment or include security hardening as part of a new pool build, with documentation and an ops runbook.