Securing your Node

Completing this guide will provide a solid baseline to protect and secure your staking node
Pre-requisites
Ubuntu Server or Ubuntu Desktop installed
SSH server installed
a SSH client or terminal window access
In case you need to install SSH server, refer to:
How to Enable SSH on Ubuntu 20.04
linuxize
Mandatory: Create a non-root user with sudo privileges
Make a habit of logging to your server using a non-root account. This will prevent the accidental deletion of files if you make a mistake. For instance, the command rm can wipe your entire server if run incorrectly using by a root user.
🔥Tip: Do NOT routinely use the root account. Use su or sudo, always.
If your staking node is your current computer, simply open a terminal window. From anywhere type Ctrl+Alt+T to open terminal window.
​
Otherwise, SSH to your staking node with your SSH client,
ssh [email protected]
# example
# ssh [email protected]
Create a new user called DeXit
sudo useradd -m -s /bin/bash dexit
Set the password for DeXit user
sudo passwd DeXit
Add dexit to the sudo group
sudo usermod -aG sudo dexit
Add dexit to the sudo group
sudo usermod -aG sudo DeXit

 Disable SSH password Authentication and Use SSH Keys only
​
The basic rules of hardening SSH are:
No password for SSH access (use private key)
Don't allow root to SSH (the appropriate users should SSH in, then su or sudo)
Use sudo for users so commands are logged
Log unauthorized login attempts (and consider software to block/ban users who try to access your server too many times, like fail2ban)
Lock down SSH to only the ip range your require (if you feel like it)
Create a new SSH key pair on your local machine. Run this on your local machine. You will be asked to type a file name in which to save the key. This will be your keyname.
ssh-keygen -t ed25519
Make multiple backup copies of your private SSH key file to external storage for recovery purposes.
Transfer the public key to your remote node. Update keyname.pub appropriately.
ssh-copy-id -i $HOME/.ssh/keyname.pub [email protected]
Login with your new Dexit user
ssh [email protected]
Disable root login and password based login. Edit the /etc/ssh/sshd_config file
sudo nano /etc/ssh/sshd_config
Locate ChallengeResponseAuthentication and update to no
ChallengeResponseAuthentication no
Locate PasswordAuthentication update to no
PasswordAuthentication no
Locate PermitRootLogin and update to prohibit-password
PermitRootLogin prohibit-password
Locate PermitEmptyPasswords and update to no
PermitEmptyPasswords no
Optional: Locate Port and customize it your random port.
Use a random port # from 1024 thru 49141. Check for possible conflicts.​
Port <port number>
Validate the syntax of your new SSH configuration.
sudo sshd -t
If no errors with the syntax validation, restart the SSH process
sudo systemctl restart sshd
Verify the login still works
1
ssh [email protected]
2
ssh [email protected] -p <custom port number>
Alternatively, you might need to add the -p <port#> flag if you used a custom SSH port.
ssh -i <path to your SSH_key_name.pub> [email protected]
​
Optional: Make logging in easier by updating your local ssh config.
To simplify the ssh command needed to log in to your server, consider updating your local $HOME/.ssh/config file:
Host dexit-server
  User dexit
  HostName <server.public.ip.address>
  Port <custom port number>
This will allow you to log in with ssh ethereum-server rather than needing to pass through all ssh parameters explicitly.
​
​
Last modified 7mo ago