CoinCashew
English
English
  • Home
  • About Us
  • Donations
  • Contributing
    • Contributor Covenant Code of Conduct
    • Style Guide
  • Disclaimer
  • Wallets
    • Guide: Crypto Wallet Tips 101 - Do's and Don'ts
      • Review: Metal Bitcoin Seed Storage by jlopp
  • Coins
    • Ethereum: ETH
      • 🛡️EthPillar: one-liner setup tool and node management TUI
      • 🥩Guide | How to setup a validator for Ethereum staking on mainnet
        • Overview - Manual Installation
        • PART I - INSTALLATION
          • Step 1: Prerequisites
          • Step 2: Configuring Node
          • Step 3: Installing execution client
            • Nethermind
            • Besu
            • Geth
            • Erigon
            • Reth
          • Step 4: Installing consensus client
            • Lighthouse
            • Lodestar
            • Teku
            • Nimbus
            • Prysm
          • Step 5: Installing Validator
            • Setting up Validator Keys
            • Installing Validator
              • Lighthouse
              • Lodestar
              • Teku
              • Nimbus
              • Prysm
            • Next Steps
          • Monitoring your validator with Grafana and Prometheus
          • Mobile App Node Monitoring by beaconcha.in
          • Monitoring with Uptime Check by Google Cloud
        • PART II - MAINTENANCE
          • Updating Execution Client
          • Updating Consensus Client
          • Backups Checklist: Critical Staking Node Data
          • Uninstalling Staking Node
          • Finding the longest attestation slot gap
          • Checking my eth validator's sync committee duties
          • Checklist | Confirming a healthy functional ETH staking node
        • PART III - TIPS
          • Voluntary Exiting a Validator
          • Verifying Your Mnemonic Phrase
          • Adding a New Validator to an Existing Setup with Existing Seed Words
          • Switching / Migrating Consensus Client
          • 🛡️Switching / Migrating Execution Client
          • ⚡Using Node as RPC URL endpoint
          • Using All Available LVM Disk Space
          • Reducing Network Bandwidth Usage
          • How to re-sync using checkpoint sync
          • Important Directory Locations
          • Improving Validator Attestation Effectiveness
          • EIP2333 Key Generator by iancoleman.io
          • 😁Geth - Enabling path-based state storage
          • Disk Usage by Execution / Consensus Client
          • Dealing with Storage Issues on the Execution Client
        • Join the Community
        • Credits
        • See Also
        • Changelog
      • 🌠Guide | How to setup a validator for Ethereum staking on testnet HOODI
        • Overview - Manual Installation
        • Step 1: Prerequisites
        • Step 2: Configuring Node
        • Step 3: Installing execution client
          • Nethermind
          • Besu
          • Geth
          • Erigon
          • Reth
        • Step 4: Installing consensus client
          • Lighthouse
          • Lodestar
          • Teku
          • Nimbus
          • Prysm
        • Step 5: Installing Validator
          • Setting up Validator Keys
          • Installing Validator
            • Lighthouse
            • Lodestar
            • Teku
            • Nimbus
            • Prysm
          • Next Steps
        • Maintenance
          • Updating Execution Client
          • Updating Consensus Client
          • Backups Checklist: Critical Staking Node Data
          • Uninstalling Staking Node
      • ⛓️Guide | How to setup a validator for Ethereum staking on testnet HOLESKY
        • Overview - Manual Installation
        • Step 1: Prerequisites
        • Step 2: Configuring Node
        • Step 3: Installing execution client
          • Nethermind
          • Besu
          • Geth
          • Erigon
          • Reth
        • Step 4: Installing consensus client
          • Lighthouse
          • Lodestar
          • Teku
          • Nimbus
          • Prysm
        • Step 5: Installing Validator
          • Setting up Validator Keys
          • Installing Validator
            • Lighthouse
            • Lodestar
            • Teku
            • Nimbus
            • Prysm
          • Next Steps
        • Maintenance
          • Updating Execution Client
          • Updating Consensus Client
          • Backups Checklist: Critical Staking Node Data
          • Uninstalling Staking Node
      • 💰Guide | MEV-boost for Ethereum Staking
        • MEV Relay List
      • 🔎Guide | Recover Ethereum Validator Mnemonic Seed
      • 🦉Update Withdrawal Keys for Ethereum Validator (BLS to Execution Change or 0x00 to 0x01) with ETHDO
      • 📜Archived Guides
        • Guide Version 1 | How to setup a validator for Ethereum staking on MAINNET
          • PART I - INSTALLATION
            • Step 1: Prerequisites
            • Step 2: Configuring Node
            • Step 3: Setting up Validator Keys
            • Step 4: Installing execution client
            • Step 5: Installing consensus client
            • Monitoring your validator with Grafana and Prometheus
            • Mobile App Node Monitoring by beaconcha.in
            • Security Best Practices for your ETH staking validator node
            • Synchronizing time with Chrony
            • Monitoring with Uptime Check by Google Cloud
          • PART II - MAINTENANCE
            • Updating your consensus client
            • Updating your execution client
            • Uninstalling V1 Staking Node
            • Finding the longest attestation slot gap
            • Checking my eth validator's sync committee duties
            • Pruning the execution client to free up disk space
            • Checklist | Confirming a healthy functional ETH staking node
          • PART III - TIPS
            • 🛡️Switching / Migrating Execution Client
            • Voluntary Exiting a Validator
            • Verifying Your Mnemonic Phrase
            • Adding a New Validator to an Existing Setup with Existing Seed Words
            • Switching / Migrating Consensus Client
            • Using All Available LVM Disk Space
            • Reducing Network Bandwidth Usage
            • How to re-sync using checkpoint sync
            • Important Directory Locations
            • Hosting Execution client on a Different Machine
            • Adding or Changing Graffiti flag
            • Improving Validator Attestation Effectiveness
            • EIP2333 Key Generator by iancoleman.io
            • Disk Usage by Execution / Consensus Client
            • Dealing with Storage Issues on the Execution Client
          • Join the Community
          • Credits
          • See Also
          • Changelog
        • Guide Version 1 | How to setup a validator for Ethereum staking on testnet GOERLI
          • Step 1: Prerequisites
          • Step 2: Configuring Node
          • Step 3: Setting up Validator Keys
          • Step 4: Installing execution client
          • Step 5: Installing consensus client
        • Guide Version 2 | How to setup a validator for Ethereum staking on testnet GOERLI
          • Step 1: Prerequisites
          • Step 2: Configuring Node
          • Step 3: Installing execution client
            • Nethermind
            • Besu
            • Geth
            • Erigon
          • Step 4: Installing consensus client
            • Lighthouse
            • Lodestar
            • Teku
            • Nimbus
            • Prysm
          • Step 5: Installing Validator
            • Setting up Validator Keys
            • Installing Validator
              • Lighthouse
              • Lodestar
              • Teku
              • Nimbus
              • Prysm
            • Next Steps
          • Maintenance
            • Updating Execution Client
            • Updating Consensus Client
            • Backups Checklist: Critical Staking Node Data
            • Uninstalling Staking Node
        • Guide | Ethereum Staking on Zhejiang Testnet
        • Guide | Besu + Lodestar | Most Viable Diverse Client | Staking Ethereum on Kiln testnet
        • Guide | How to setup a validator for Ethereum staking on Pithos testnet in 10 minutes or less
        • Ethereum Merge Upgrade Checklist for Home Stakers and Validators
        • Guide | Operation Client Diversity: Migrate Prysm to Teku
      • Guide: How to buy ETH
    • Cardano: ADA
      • Guide: How to Set Up a Cardano Stake Pool
        • Benefits of Operating a Cardano Stake Pool
        • PART I - INSTALLATION
          • Prerequisites
          • Hardening an Ubuntu Server
          • Setting Up chrony
          • Installing the Glasgow Haskell Compiler and Cabal
          • Compiling Cardano Node
        • PART II - CONFIGURATION
          • Downloading Configuration Files
          • Configuring Topology
          • Configuring an Air-gapped, Offline Computer
          • Creating Startup Scripts and Services
        • PART III - OPERATION
          • Starting the Nodes
          • Accessing Built-in Help
          • Generating Keys for the Block-producing Node
          • Setting Up Payment and Stake Keys
          • Registering Your Stake Address
          • Registering Your Stake Pool
          • Verifying Stake Pool Operation
          • Setting Up Dashboards
          • Configuring Slot Leader Calculations
          • Securing Your Stake Pool Using a Hardware Wallet
          • Setting up a Mithril Signer
        • PART IV - ADMINISTRATION & MAINTENANCE
          • Checking Stake Pool Rewards
          • Claiming Stake Pool Rewards
          • Delegating to a Stake Pool
          • Delegating to a Representative
          • Issuing a New Operational Certificate
          • Updating Stake Pool Information
          • Upgrading a Node
          • Retiring Your Stake Pool
          • Auditing Your nodes configuration
          • KES Key Rotation / Operational Certificate Companion Script
        • PART V - TIPS
          • Submitting a Simple Transaction
          • Transferring Files Using SSH
          • Updating Configuration Files
          • Implementing Peer Sharing
          • Uploading Pool Metadata to GitHub Pages
          • Obtaining a PoolTool API Key
          • Configuring Glasgow Haskell Compiler Runtime System Options
          • Reducing Missed Slot Leader Checks and Improving Cardano Node Performance
          • Increasing Swap File Size
          • Setting Up an External Passive Relay Node
          • Setting Up WireGuard
          • Monitoring Node Security Using OSSEC Server and Slack
          • Resetting an Installation
          • Fixing a Corrupt Blockchain
          • Verifying an ITN Stake Pool
          • Fixing the Mnemonic Staking Balance Bug
        • Appendix A - Best Practices Checklist
        • Appendix B - Cardano Resource Index
        • Discord Chat Channel
        • See Also
        • Credits
      • Guide: How to buy ADA
      • Guide: How to stake ADA
    • Monero: XMR
      • Guide | How to run your own Monero node
      • Guide: How to mine Monero
      • Create a XMR paper wallet
      • External Reading Material
        • Movie: Monero Means Money
        • Guide: Zero to Monero
        • Book: Mastering Monero
Powered by GitBook
On this page
  • Prerequisites
  • Creating a Non-root User with sudo Privileges
  • Disabling SSH Password Authentication and Using SSH Keys Only
  • Updating Your System
  • Disabling the root Account
  • Configuring Two Factor Authentication for SSH
  • Securing Shared Memory
  • Installing fail2ban
  • Configuring Your Firewall
  • Additional Hardening Rules for a Block-producing Node
  • Additional Hardening Rules for Relay Nodes
  • Verifying Listening Ports
  • References
Edit on GitHub
  1. Coins
  2. Cardano: ADA
  3. Guide: How to Set Up a Cardano Stake Pool
  4. PART I - INSTALLATION

Hardening an Ubuntu Server

Quick steps to secure your node.

PreviousPrerequisitesNextSetting Up chrony

Last updated 1 year ago

Thank you for your support and kind messages! It really energizes us to keep creating the best crypto guides. Use addresses and share your message.

Prerequisites

  • Ubuntu Server or Ubuntu Desktop installed

  • SSH server installed

  • a SSH client or terminal window access

In case you need to install SSH server, refer to:

In case you need a SSH client for your operating system, refer to:

Make a habit of logging to your server using a non-root account. This will prevent the accidental deletion of files if you make a mistake. For instance, the command rm can wipe your entire server if run incorrectly using by a root user.

SSH to your server

ssh username@server.public.ip.address
# example
# ssh myUsername@77.22.161.10

Create a new user called cardano

useradd -m -s /bin/bash cardano

Set the password for cardano user

passwd cardano

Add cardano to the sudo group

usermod -aG sudo cardano

The basic rules of hardening SSH are:

  • No password for SSH access (use private key)

  • Don't allow root to SSH (the appropriate users should SSH in, then su or sudo)

  • Use sudo for users so commands are logged

  • Log unauthorized login attempts (and consider software to block/ban users who try to access your server too many times, like fail2ban)

  • Lock down SSH to only the ip range you require (if you feel like it)

Create a new SSH key pair on your local machine. Run this on your local machine. You will be asked to type a file name in which to save the key. This will be your keyname.

ssh-keygen -t ed25519
ssh-keygen -t rsa -b 4096

Transfer the public key to your remote node. Update the keyname.

ssh-copy-id -i $HOME/.ssh/<keyname>.pub cardano@server.public.ip.address

Login with your new cardano user

ssh cardano@server.public.ip.address

Disable root login and password based login. Edit the /etc/ssh/sshd_config file

sudo nano /etc/ssh/sshd_config

Locate PubkeyAuthentication and update to yes. Delete the #, if needed.

PubkeyAuthentication yes

Locate PasswordAuthentication and update to no

PasswordAuthentication no 

Locate PermitRootLogin and update to prohibit-password

PermitRootLogin prohibit-password

Locate PermitEmptyPasswords and update to no

PermitEmptyPasswords no

Optional: Locate Port and customize it to your random port number.

Port <port number>

Validate the syntax of your new SSH configuration.

sudo sshd -t

If no errors with the syntax validation, restart the SSH process.

sudo systemctl restart sshd

Verify the login still works

ssh cardano@server.public.ip.address
ssh cardano@server.public.ip.address -p <custom port number>

Alternatively, add the -p <port#> flag if you used a custom SSH port.

ssh -i <path to your SSH_key_name.pub> cardano@server.public.ip.address

Optional: Make logging in easier by updating your local ssh config.

To simplify the ssh command needed to log in to your server, consider updating your local $HOME/.ssh/config file:

Host cardano-server
  User cardano
  HostName <server.public.ip.address>
  Port <custom port number>

This will allow you to log in with ssh cardano-server rather than needing to pass through all ssh parameters explicitly.

It's critically important to keep your system up-to-date with the latest patches to prevent intruders from accessing your system.

sudo apt-get update -y && sudo apt-get upgrade -y
sudo apt-get autoremove
sudo apt-get autoclean

Enable automatic updates so you don't have to manually install them.

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

System admins should not frequently log in as root in order to maintain server security. Instead, you can use sudo execute that requires low-level privileges.

# To disable the root account, simply use the -l option.
sudo passwd -l root
# If for some valid reason you need to re-enable the account, simply use the -u option.
sudo passwd -u root

SSH, the secure shell, is often used to access remote Linux systems. Because we often use it to connect with computers containing important data, it’s recommended to add another security layer. Here comes the two factor authentication (2FA).

sudo apt install libpam-google-authenticator -y

To make SSH use the Google Authenticator PAM module, edit the /etc/pam.d/sshd file:

sudo nano /etc/pam.d/sshd 

Add the follow line:

auth required pam_google_authenticator.so

Now you need to restart the sshd daemon using:

sudo systemctl restart sshd.service

Modify /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

Locate ChallengeResponseAuthentication and update to yes

ChallengeResponseAuthentication yes

Locate UsePAM and update to yes

UsePAM yes

Save the file and exit.

Run the google-authenticator command.

google-authenticator

It will ask you a series of questions, here is a recommended configuration:

  • Make tokens “time-base”": yes

  • Update the .google_authenticator file: yes

  • Disallow multiple uses: yes

  • Increase the original generation time limit: no

  • Enable rate-limiting: yes

You may have noticed the giant QR code that appeared during the process, underneath are your emergency scratch codes to be used if you don’t have access to your phone: write them down on paper and keep them in a safe place.

Now, open Google Authenticator on your phone and add your secret key to make two factor authentication work.

One exceptional case

There may be a reason for you needing to have that memory space mounted in read/write mode (such as a specific server application like **Chrome **that requires such access to the shared memory or standard applications like Google Chrome). In this case, use the following line for the fstab file with instructions below.

none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0

The above line will mount the shared memory with read/write access but without permission to execute programs, change the UID of running programs, or to create block or character devices in the namespace. This a net security improvement over default settings.

Use with caution

With some trial and error, you may discover some applications(like Chrome) do not work with shared memory in read-only mode. For the highest security and if compatible with your applications, it is a worthwhile endeavor to implement this secure shared memory setting.

Edit /etc/fstab

sudo nano /etc/fstab

Insert the following line to the bottom of the file and save/close.

tmpfs	/run/shm	tmpfs	ro,noexec,nosuid	0 0

Reboot the node in order for changes to take effect.

sudo reboot

Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.

sudo apt-get install fail2ban -y

Edit a config file that monitors SSH logins.

sudo nano /etc/fail2ban/jail.local

Add the following lines to the bottom of the file.

# Exampleignoreip = 192.168.1.0/24 127.0.0.1/8 
[sshd]
enabled = true
port = <22 or your random port number>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
# whitelisted IP addresses
ignoreip = <list of whitelisted IP address, your local daily laptop/pc>

Save/close file.

Restart fail2ban for settings to take effect.

sudo systemctl restart fail2ban

The standard UFW firewall can be used to control network access to your node.

With any new installation, UFW is disabled by default. Enable UFW. Assuming that you use the default profile allowing outgoing traffic and denying incoming traffic, open the following ports to incoming traffic:

  • Port 22 (or your random port #) TCP for SSH connection

  • Port 123 UDP for chrony ntp

  • Port 6000 TCP for Cardano network traffic

If you install a Grafana dashboard for monitoring your Cardano stake pool, then also open the following ports in UFW:

  • Port 3000 TCP for Grafana web server

  • Port 9100 TCP for Prometheus Node Exporter data

  • Port 12798 TCP for Cardano Node data for Prometheus

# By default, deny all incoming traffic and allow outgoing traffic.
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow ssh access
sudo ufw allow ssh #<port 22 or your random ssh port number>/tcp
# Allow cardano-node p2p port
sudo ufw allow 6000/tcp
# Enable firewall
sudo ufw enable
# Verify status
sudo ufw status numbered

Do not expose Grafana (port 3000) and Prometheus endpoint (port 9100 and 12798) to the public internet as this invites a new attack surface!

Better idea - SSH tunnel to Grafana server

Setup a SSH tunnel with the following command:

ssh -L 3000:localhost:3000 <user>@<your-server-ip-or-dns>

Alternatively, If using Putty for SSHing, you can configure the tunnel as follows. Make sure to click "Add" and save your new profile settings.

Now you can access the Grafana server from your local machine's browser by visiting http://localhost:3000

Only open the following ports on nodes behind a network firewall. This is not required if using the above SSH tunnel method.

# Allow grafana web server port
sudo ufw allow 3000/tcp
# Allow prometheus endpoint port
sudo ufw allow 9100/tcp
# Allow prometheus cardano-node metric data port
sudo ufw allow 12798/tcp

Confirm the settings are in effect.

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 3000/tcp                   ALLOW IN    Anywhere
[ 3] 6000/tcp                   ALLOW IN    Anywhere
[ 4] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 5] 3000/tcp (v6)              ALLOW IN    Anywhere (v6)
[ 6] 6000/tcp (v6)              ALLOW IN    Anywhere (v6)

[ Optional but recommended ] Whitelisting (or permitting connections from a specific IP) can be setup via the following command.

sudo ufw allow from <your local daily laptop/pc>
# Example
# sudo ufw allow from 192.168.50.22

Only your Relay Node(s) should be permitted access to your Block Producer Node.

sudo ufw allow proto tcp from <RELAY NODE IP> to any port <BLOCK PRODUCER PORT>
# Example
# sudo ufw allow proto tcp from 18.58.3.31 to any port 6000

Replace <RELAY NODE PORT> with your public relay port, replace the 5 with your preferred connection limit.

sudo iptables -I INPUT -p tcp -m tcp --dport <RELAY NODE PORT> --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 5 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset

Set the connection limit high enough so that your internal relay/block producer node topology remains functional.

You can check your current connections with a sorted list. Change the relay node port number, if needed.

sudo netstat -enp | grep ":6000" | awk {'print $5'} | cut -d ':' -f 1 | sort | uniq -c | sort

DDoS/Syn attacks can be complex and can take down a node. A single iptables rule may not be sufficient to protect or mitigate against more modern attacks. Moreover, iptables rules added via the terminal are forgotten if the machine or the iptables service is restarted.

Carden Pool [CRPL] provides a script that configures and deploys iptables rules specifically designed to protect from various DDoS attack vectors, ensuring the persistence of these rules even after reboots.

If you want to maintain a secure server, you should validate the listening network ports every once in a while. This will provide you essential information about your network.

netstat -tulpn
ss -tulpn

Did you find our guide useful? Send us a signal with a tip and we'll keep updating it.

It really energizes us to keep creating the best crypto guides.

Creating a Non-root User with sudo Privileges

Tip: Do NOT routinely use the root account. Use su or sudo, always.

Disabling SSH Password Authentication and Using SSH Keys Only

Your choice of public key algorithm.

Use a random port # from 1024 thru 49141.

Updating Your System

By default when enabled, the unattended-upgrades service only installs security updates automatically. For details on configuring unattended upgrades, see , for example.

Disabling the root Account

Configuring Two Factor Authentication for SSH

Note: If you are enabling 2FA on a remote machine that you access over SSH you need to follow steps 2 and 3 of to make 2FA work.

Securing Shared Memory

One of the first things you should do is secure the shared used on the system. If you're unaware, shared memory can be used in an attack against a running service. Because of this, secure that portion of system memory.

To learn more about secure shared memory, read this .

Source:

Installing fail2ban

Whitelisting IP address tip: The ignoreip parameter accepts IP addresses, IP ranges or DNS hosts that you can specify to be allowed to connect. This is where you want to specify your local machine, local IP range or local domain, separated by spaces.

Configuring Your Firewall

It is dangerous to open these ports on a VPS/cloud node.

Port Forwarding Tip: You'll need to forward and open ports to your validator. Verify it's working with or .

Additional Hardening Rules for a Block-producing Node

Additional Hardening Rules for Relay Nodes

In order to protect your Relay Node(s) from a novel "DoS/Syn" attack, created iptables entry which restricts connections to a given destination port to 5 connections from the same IP.

iptables rules applied via terminal are not reboot-resistant!

Further information can be found in the .

Verifying Listening Ports

Congrats on completing the guide.

Use addresses.

Any feedback and all pull requests much appreciated.

Hang out and chat with our stake pool community on Telegram @

References

🧙‍♂️
🔥
🔏
🤖
🧸
🛠️
🧩
⛓️
🔥
🧱
🔥
🧱
🧱
🔥
🔭
✨
🌛
🚀
ED25519 or RSA
Check for possible conflicts.
How to Setup & Configure Unattended Upgrades on Ubuntu 20.04
this tutorial
memory
techrepublic.com article
techrepublic.com
🎊
https://www.yougetsignal.com/tools/open-ports/
https://canyouseeme.org/
Michael Fazio
Carden Pool GitHub repository
🙏
cointr.ee to find our donation
https://t.me/coincashew
https://gist.github.com/lokhman/cc716d2e2d373dd696b2d9264c0287a3#file-ubuntu-hardening-md
🙏
🤖
cointr.ee to find our donation
How to install SSH server on Ubuntu
How to Connect to an SSH Server from Windows, macOS, or LinuxHow-To Geek
How to Harden your Ubuntu 18.04 ServerMedium
Ubuntu system hardening guide for desktops and serversLinux Audit
Logo
How To Harden OpenSSH on Ubuntu 18.04 | DigitalOceanDigitalOcean
Configure SSH to use two-factor authentication | UbuntuUbuntu
How to Harden Ubuntu Server 18.04 in 5 Easy StepsLifewire
The 50 Best Linux Hardening Security Tips: A Comprehensive ChecklistUbuntuPIT
Logo
Logo
Logo
Logo
Logo
Logo