SSH to your server
Create a new user called cardano
useradd -m -s /bin/bash cardano
Set the password for cardano user
Add cardano to the sudo group
usermod -aG sudo cardano
Create a new SSH key pair on your local machine. Run this on your local machine. You will be asked to type a file name in which to save the key. This will be your keyname.
ssh-keygen -t rsa
Transfer the public key to your remote node. Update the keyname.
ssh-copy-id -i $HOME/.ssh/<keyname>.pub firstname.lastname@example.org
Login with your new cardano user
Disable root login and password based login. Edit the
sudo nano /etc/ssh/sshd_config
Locate ChallengeResponseAuthentication and update to no
Locate PasswordAuthentication update to no
Locate PermitRootLogin and update to no
Locate PermitEmptyPasswords and update to no
Optional: Locate Port and customize it your random port.
Port <port number>
Validate the syntax of your new SSH configuration.
sudo sshd -t
If no errors with the syntax validation, reload the SSH process
sudo service sshd reload
Verify the login still works
sudo apt-get update -y && sudo apt-get upgrade -ysudo apt-get autoremovesudo apt-get autoclean
Enable automatic updates so you don't have to manually install them.
sudo apt-get install unattended-upgradessudo dpkg-reconfigure -plow unattended-upgrades
System admins should not frequently log in as root in order to maintain server security. Instead, you can use sudo execute that require low-level privileges.
# To disable the root account, simply use the -l option.sudo passwd -l root
# If for some valid reason you need to re-enable the account, simply use the -u option.sudo passwd -u root
sudo apt install libpam-google-authenticator -y
To make SSH use the Google Authenticator PAM module, edit the
sudo nano /etc/pam.d/sshd
Add the follow line:
auth required pam_google_authenticator.so
Now you need to restart the
sshd daemon using:
sudo systemctl restart sshd.service
sudo nano /etc/ssh/sshd_config
Locate ChallengeResponseAuthentication and update to yes
Locate UsePAM and update to yes
Save the file and exit.
Run the google-authenticator command.
It will ask you a series of questions, here is a recommended configuration:
Make tokens “time-base”": yes
.google_authenticator file: yes
Disallow multiple uses: yes
Increase the original generation time limit: no
Enable rate-limiting: yes
You may have noticed the giant QR code that appeared during the process, underneath are your emergency scratch codes to be used if you don’t have access to your phone: write them down on paper and keep them in a safe place.
Now, open Google Authenticator on your phone and add your secret key to make two factor authentication work.
sudo nano /etc/fstab
Insert the following line to the bottom of the file and save/close.
tmpfs /run/shm tmpfs ro,noexec,nosuid 0 0
Reboot the node in order for changes to take effect.
sudo apt-get install fail2ban -y
Edit a config file that monitors SSH logins.
sudo nano /etc/fail2ban/jail.local
Add the following lines to the bottom of the file.
[sshd]enabled = trueport = <22 or your random port number>filter = sshdlogpath = /var/log/auth.logmaxretry = 3
Restart fail2ban for settings to take effect.
sudo systemctl restart fail2ban
The standard UFW firewall can be used to control network access to your node.
With any new installation, ufw is disabled by default. Enable it with the following settings.
Port 22 (or your random port #) TCP for SSH connection
Port 6000 TCP for p2p traffic
Port 3000 TCP for Grafana web server (if hosted on this node)
ufw allow <22 or your random port number>/tcpufw allow 6000/tcpufw allow 3000/tcpufw enableufw status numbered
Confirm the settings are in effect.
To Action From-- ------ ----[ 1] 22/tcp ALLOW IN Anywhere[ 2] 3000/tcp ALLOW IN Anywhere[ 3] 6000/tcp ALLOW IN Anywhere[ 4] 22/tcp (v6) ALLOW IN Anywhere (v6)[ 5] 3000/tcp (v6) ALLOW IN Anywhere (v6)[ 6] 6000/tcp (v6) ALLOW IN Anywhere (v6)
If you want to maintain a secure server, you should validate the listening network ports every once in a while. This will provide you essential information about your network.
netstat -tulpnss -tulpn