Ubuntu Server or Ubuntu Desktop installed
SSH server installed
a SSH client or terminal window access
In case you need to install SSH server, refer to:
In case you need a SSH client for your operating system, refer to:
SSH to your server
ssh email@example.com# example# ssh myUsername@126.96.36.199
Create a new user called cardano
useradd -m -s /bin/bash cardano
Set the password for cardano user
Add cardano to the sudo group
usermod -aG sudo cardano
Create a new SSH key pair on your local machine. Run this on your local machine. You will be asked to type a file name in which to save the key. This will be your keyname.
Your choice of ED25519 or RSA public key algorithm.
ssh-keygen -t ed25519
ssh-keygen -t rsa -b 4096
Transfer the public key to your remote node. Update the keyname.
ssh-copy-id -i $HOME/.ssh/<keyname>.pub firstname.lastname@example.org
Login with your new cardano user
Disable root login and password based login. Edit the
sudo nano /etc/ssh/sshd_config
Locate ChallengeResponseAuthentication and update to no
Locate PasswordAuthentication update to no
Locate PermitRootLogin and update to no
Locate PermitEmptyPasswords and update to no
Optional: Locate Port and customize it your random port.
Port <port number>
Validate the syntax of your new SSH configuration.
sudo sshd -t
If no errors with the syntax validation, reload the SSH process
sudo service sshd reload
Verify the login still works
ssh email@example.com -p <custom port number>
sudo apt-get update -y && sudo apt-get upgrade -ysudo apt-get autoremovesudo apt-get autoclean
Enable automatic updates so you don't have to manually install them.
sudo apt-get install unattended-upgradessudo dpkg-reconfigure -plow unattended-upgrades
System admins should not frequently log in as root in order to maintain server security. Instead, you can use sudo execute that require low-level privileges.
# To disable the root account, simply use the -l option.sudo passwd -l root
# If for some valid reason you need to re-enable the account, simply use the -u option.sudo passwd -u root
sudo apt install libpam-google-authenticator -y
To make SSH use the Google Authenticator PAM module, edit the
sudo nano /etc/pam.d/sshd
Add the follow line:
auth required pam_google_authenticator.so
Now you need to restart the
sshd daemon using:
sudo systemctl restart sshd.service
sudo nano /etc/ssh/sshd_config
Locate ChallengeResponseAuthentication and update to yes
Locate UsePAM and update to yes
Save the file and exit.
Run the google-authenticator command.
It will ask you a series of questions, here is a recommended configuration:
Make tokens “time-base”": yes
.google_authenticator file: yes
Disallow multiple uses: yes
Increase the original generation time limit: no
Enable rate-limiting: yes
You may have noticed the giant QR code that appeared during the process, underneath are your emergency scratch codes to be used if you don’t have access to your phone: write them down on paper and keep them in a safe place.
Now, open Google Authenticator on your phone and add your secret key to make two factor authentication work.
sudo nano /etc/fstab
Insert the following line to the bottom of the file and save/close.
tmpfs /run/shm tmpfs ro,noexec,nosuid 0 0
Reboot the node in order for changes to take effect.
sudo apt-get install fail2ban -y
Edit a config file that monitors SSH logins.
sudo nano /etc/fail2ban/jail.local
Add the following lines to the bottom of the file.
[sshd]enabled = trueport = <22 or your random port number>filter = sshdlogpath = /var/log/auth.logmaxretry = 3# whitelisted IP addressesignoreip = <list of whitelisted IP address, your local daily laptop/pc>
Restart fail2ban for settings to take effect.
sudo systemctl restart fail2ban
The standard UFW firewall can be used to control network access to your node.
With any new installation, ufw is disabled by default. Enable it with the following settings.
Port 22 (or your random port #) TCP for SSH connection
Port 6000 TCP for p2p traffic
Port 3000 TCP for Grafana web server (if hosted on current node)
Port 9090 tcp for Prometheus export data (optional, if hosted on current node)
ufw allow <22 or your random port number>/tcpufw allow 6000/tcpufw allow 3000/tcpufw enableufw status numbered
Only open the following ports on nodes behind a network firewall.
🔥 It is dangerous to open these ports on a VPS/cloud node.
sudo ufw allow 3000/tcpsudo ufw allow 9090/tcp
Confirm the settings are in effect.
To Action From-- ------ ----[ 1] 22/tcp ALLOW IN Anywhere[ 2] 3000/tcp ALLOW IN Anywhere[ 3] 6000/tcp ALLOW IN Anywhere[ 4] 22/tcp (v6) ALLOW IN Anywhere (v6)[ 5] 3000/tcp (v6) ALLOW IN Anywhere (v6)[ 6] 6000/tcp (v6) ALLOW IN Anywhere (v6)
[ Optional but recommended ] Whitelisting (or permitting connections from a specific IP) can be setup via the following command.
sudo ufw allow from <your local daily laptop/pc># Example# sudo ufw allow from 192.168.50.22
If you want to maintain a secure server, you should validate the listening network ports every once in a while. This will provide you essential information about your network.