Securing your Node
Completing this guide will provide a solid baseline to protect and secure your staking node
- Ubuntu Server or Ubuntu Desktop installed
- SSH server installed
- a SSH client or terminal window access
In case you need to install SSH server, refer to:
Make a habit of logging to your server using a non-root account. This will prevent the accidental deletion of files if you make a mistake. For instance, the command
rm
can wipe your entire server if run incorrectly using by a root user.🔥Tip: Do NOT routinely use the root account. Use
su
or sudo
, always.If your staking node is your current computer, simply open a terminal window. From anywhere type Ctrl+Alt+T to open terminal window.
Otherwise, SSH to your staking node with your SSH client,
Create a new user called DeXit
sudo useradd -m -s /bin/bash dexit
Set the password for DeXit user
sudo passwd DeXit
Add dexit to the sudo group
sudo usermod -aG sudo dexit
Add dexit to the sudo group
sudo usermod -aG sudo DeXit
Disable SSH password Authentication and Use SSH Keys only
The basic rules of hardening SSH are:
- No password for SSH access (use private key)
- Don't allow root to SSH (the appropriate users should SSH in, then
su
orsudo
) - Use
sudo
for users so commands are logged - Log unauthorized login attempts (and consider software to block/ban users who try to access your server too many times, like fail2ban)
- Lock down SSH to only the ip range your require (if you feel like it)
Create a new SSH key pair on your local machine. Run this on your local machine. You will be asked to type a file name in which to save the key. This will be your keyname.
ssh-keygen -t ed25519
Make multiple backup copies of your private SSH key file to external storage for recovery purposes.
Transfer the public key to your remote node. Update keyname.pub appropriately.
ssh-copy-id -i $HOME/.ssh/keyname.pub [email protected]
Login with your new Dexit user
Disable root login and password based login. Edit the
/etc/ssh/sshd_config file
sudo nano /etc/ssh/sshd_config
Locate ChallengeResponseAuthentication and update to no
ChallengeResponseAuthentication no
Locate PasswordAuthentication update to no
PasswordAuthentication no
Locate PermitRootLogin and update to prohibit-password
PermitRootLogin prohibit-password
Locate PermitEmptyPasswords and update to no
PermitEmptyPasswords no
Optional: Locate Port and customize it your random port.
Port <port number>
Validate the syntax of your new SSH configuration.
sudo sshd -t
If no errors with the syntax validation, restart the SSH process
sudo systemctl restart sshd
Verify the login still works
1
2
ssh [email protected] -p <custom port number>
Alternatively, you might need to add the
-p <port#>
flag if you used a custom SSH port.ssh -i <path to your SSH_key_name.pub> [email protected]
Optional: Make logging in easier by updating your local ssh config.
To simplify the ssh command needed to log in to your server, consider updating your local
$HOME/.ssh/config
file:Host dexit-server
User dexit
HostName <server.public.ip.address>
Port <custom port number>
This will allow you to log in with
ssh ethereum-server
rather than needing to pass through all ssh parameters explicitly.
Last modified 7mo ago