Securing your Node
Completing this guide will provide a solid baseline to protect and secure your staking node
- Ubuntu Server or Ubuntu Desktop installed
- SSH server installed
- a SSH client or terminal window access
In case you need to install SSH server, refer to:
Make a habit of logging to your server using a non-root account. This will prevent the accidental deletion of files if you make a mistake. For instance, the command
rmcan wipe your entire server if run incorrectly using by a root user.
🔥Tip: Do NOT routinely use the root account. Use
If your staking node is your current computer, simply open a terminal window. From anywhere type Ctrl+Alt+T to open terminal window.
Otherwise, SSH to your staking node with your SSH client,
Create a new user called DeXit
sudo useradd -m -s /bin/bash dexit
Set the password for DeXit user
sudo passwd DeXit
Add dexit to the sudo group
sudo usermod -aG sudo dexit
Add dexit to the sudo group
sudo usermod -aG sudo DeXit
Disable SSH password Authentication and Use SSH Keys only
The basic rules of hardening SSH are:
- No password for SSH access (use private key)
- Don't allow root to SSH (the appropriate users should SSH in, then
sudofor users so commands are logged
- Log unauthorized login attempts (and consider software to block/ban users who try to access your server too many times, like fail2ban)
- Lock down SSH to only the ip range your require (if you feel like it)
Create a new SSH key pair on your local machine. Run this on your local machine. You will be asked to type a file name in which to save the key. This will be your keyname.
ssh-keygen -t ed25519
Make multiple backup copies of your private SSH key file to external storage for recovery purposes.
Transfer the public key to your remote node. Update keyname.pub appropriately.
Login with your new Dexit user
Disable root login and password based login. Edit the
sudo nano /etc/ssh/sshd_config
Locate ChallengeResponseAuthentication and update to no
Locate PasswordAuthentication update to no
Locate PermitRootLogin and update to prohibit-password
Locate PermitEmptyPasswords and update to no
Optional: Locate Port and customize it your random port.
Port <port number>
Validate the syntax of your new SSH configuration.
sudo sshd -t
If no errors with the syntax validation, restart the SSH process
sudo systemctl restart sshd
Verify the login still works
Alternatively, you might need to add the
-p <port#>flag if you used a custom SSH port.
Optional: Make logging in easier by updating your local ssh config.
To simplify the ssh command needed to log in to your server, consider updating your local
Port <custom port number>
This will allow you to log in with
ssh ethereum-serverrather than needing to pass through all ssh parameters explicitly.