Links

Securing your Node

Completing this guide will provide a solid baseline to protect and secure your staking node

Pre-requisites

  • Ubuntu Server or Ubuntu Desktop installed
  • SSH server installed
  • a SSH client or terminal window access
In case you need to install SSH server, refer to:

Mandatory: Create a non-root user with sudo privileges

Make a habit of logging to your server using a non-root account. This will prevent the accidental deletion of files if you make a mistake. For instance, the command rm can wipe your entire server if run incorrectly using by a root user.
🔥Tip: Do NOT routinely use the root account. Use su or sudo, always.
If your staking node is your current computer, simply open a terminal window. From anywhere type Ctrl+Alt+T to open terminal window.
Otherwise, SSH to your staking node with your SSH client,
Create a new user called DeXit
sudo useradd -m -s /bin/bash dexit
Set the password for DeXit user
sudo passwd DeXit
Add dexit to the sudo group
sudo usermod -aG sudo dexit
Add dexit to the sudo group
sudo usermod -aG sudo DeXit
Disable SSH password Authentication and Use SSH Keys only
The basic rules of hardening SSH are:
  • No password for SSH access (use private key)
  • Don't allow root to SSH (the appropriate users should SSH in, then su or sudo)
  • Use sudo for users so commands are logged
  • Log unauthorized login attempts (and consider software to block/ban users who try to access your server too many times, like fail2ban)
  • Lock down SSH to only the ip range your require (if you feel like it)
Create a new SSH key pair on your local machine. Run this on your local machine. You will be asked to type a file name in which to save the key. This will be your keyname.
ssh-keygen -t ed25519
Make multiple backup copies of your private SSH key file to external storage for recovery purposes.
Transfer the public key to your remote node. Update keyname.pub appropriately.
ssh-copy-id -i $HOME/.ssh/keyname.pub [email protected]
Login with your new Dexit user
Disable root login and password based login. Edit the /etc/ssh/sshd_config file
sudo nano /etc/ssh/sshd_config
Locate ChallengeResponseAuthentication and update to no
ChallengeResponseAuthentication no
Locate PasswordAuthentication update to no
PasswordAuthentication no
Locate PermitRootLogin and update to prohibit-password
PermitRootLogin prohibit-password
Locate PermitEmptyPasswords and update to no
PermitEmptyPasswords no
Optional: Locate Port and customize it your random port.
Use a random port # from 1024 thru 49141. Check for possible conflicts.
Port <port number>
Validate the syntax of your new SSH configuration.
sudo sshd -t
If no errors with the syntax validation, restart the SSH process
sudo systemctl restart sshd
Verify the login still works
2
ssh [email protected] -p <custom port number>
Alternatively, you might need to add the -p <port#> flag if you used a custom SSH port.
ssh -i <path to your SSH_key_name.pub> [email protected]
Optional: Make logging in easier by updating your local ssh config.
To simplify the ssh command needed to log in to your server, consider updating your local $HOME/.ssh/config file:
Host dexit-server
User dexit
HostName <server.public.ip.address>
Port <custom port number>
This will allow you to log in with ssh ethereum-server rather than needing to pass through all ssh parameters explicitly.