Security Best Practices for your ETH staking validator node
Quick steps to secure your node.
Completing this guide will provide a solid baseline to protect and secure your staking node.
🤖 Pre-requisites
Ubuntu Server or Ubuntu Desktop installed on a local computer. Bonus points for increasing decentralization of Ethereum and not relying on cloud providers.
a SSH client or terminal window access
In case you need a SSH client for your operating system, refer to:
🧙♂️ Mandatory: Create a non-root user with sudo privileges
If you're using Ubuntu Desktop then you're likely currently on your staking node. Simply open a terminal window from anywhere by typing Ctrl+Alt+T.
Otherwise, begin by connecting to Ubuntu Server with your SSH client.
Create a new user called ethereum
sudo useradd -m -s /bin/bash ethereum
Set the password for ethereum user
sudo passwd ethereum
Add ethereum to the sudo group
sudo usermod -aG sudo ethereum
🔐 Mandatory: Disable SSH password Authentication and Use SSH Keys only
If you're using Ubuntu Desktop locally, you can skip this section.
Create a new SSH key pair on your local machine. Run this on your local machine. You will be asked to type a file name in which to save the key. This will be your keyname.
ssh-keygen -t ed25519
Your SSH key pair is stored in your home directory. For example, if your keyname was mySSHkey, then your private SSH key is mySSHkey
and your public SSH key is mySSHkey.pub
IMPORTANT: Make multiple backup copies of your private SSH key file to external storage, such as a USB backup key, for recovery purposes.
Verify the contents of your private SSH key file before moving on.
cat <keyname>
It should look similar to this example.
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBAblzWLb7/0o62FZf9YjLPCV4qFhbqiSH3TBvZXBiYNgAAAJCWunkulrp5
LgAAAAtzc2gtZWQyNTUxOQAAACBAblzWLb7/0o62FZf9YjLPCV4qFhbqiSH3TBvZXBiYNg
AAAEAxT+yCmifGWgbFnkauf0HyOAJANhYY5EElEX8fI+M4B0BuXNYtvv/SjrYVl/1iMs8J
XioWFuqJIfdMG9lcGJg2AAAACWV0aDJAZXRoMgECAwQ=
-----END OPENSSH PRIVATE KEY-----
Transfer the public key to your remote node. Replace <keyname.pub> appropriately.
ssh-copy-id -i $HOME/<keyname.pub> [email protected]
Login with your new ethereum user
Disable root login and password based login. Edit the /etc/ssh/sshd_config file
sudo nano /etc/ssh/sshd_config
Locate PubkeyAuthentication and update to yes. Delete the #, if needed.
PubkeyAuthentication yes
Locate PasswordAuthentication and update to no
PasswordAuthentication no
Locate PermitRootLogin and update to prohibit-password
PermitRootLogin prohibit-password
Locate PermitEmptyPasswords and update to no
PermitEmptyPasswords no
Optional: Locate Port and customize it your random port.
Port <your random port number>
Validate the syntax of your new SSH configuration.
sudo sshd -t
If no errors with the syntax validation, restart the SSH process
sudo systemctl restart sshd
Verify the login still works
Optional: Make logging in easier by updating your local ssh config.
To simplify the ssh command needed to log in to your server, consider updating your local $HOME/.ssh/config
file:
Host ethereum-server
User ethereum
HostName <staking.node.ip.address>
Port <custom random port number>
This will allow you to log in with ssh ethereum-server
rather than needing to pass through all ssh parameters explicitly.
🤖 Mandatory: Update your system
It's critically important to keep your system up-to-date with the latest patches to prevent intruders from accessing your system.
sudo apt-get update -y && sudo apt dist-upgrade -y
sudo apt-get autoremove
sudo apt-get autoclean
Enable automatic updates so you don't have to manually install them.
sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
Reboot your system to enable the upgrades.
sudo reboot
🧱 Mandatory: Configure your Firewall
The standard UFW firewall can be used to control network access to your node.
With any new installation, ufw is disabled by default. Enable it with the following settings.
If you used a custom random SSH port, replace "22" with your actual port #.
# By default, deny all incoming and outgoing traffic
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow ssh access
sudo ufw allow 22/tcp
# Allow consensus client port
sudo ufw allow 9000
# Allow execution client port
sudo ufw allow 30303
# Enable firewall
sudo ufw enable
Confirm the settings are in effect.
sudo ufw status numbered
Example of properly configured ufw status for Lighthouse.
To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 9000 ALLOW IN Anywhere [ 3] 30303 ALLOW IN Anywhere [ 4] 22/tcp (v6) ALLOW IN Anywhere (v6) [ 5] 9000 (v6) ALLOW IN Anywhere (v6) [ 6] 30303 (v6) ALLOW IN Anywhere (v6)
[ Optional ] Whitelisting, which means permitting connections from a specific IP, can be setup via the following command.
sudo ufw allow from <your local daily laptop/pc>
# Example
# sudo ufw allow from 192.168.50.22
⛓️ Mandatory: Install Fail2ban
sudo apt-get install fail2ban -y
Edit a config file that monitors SSH logins.
sudo nano /etc/fail2ban/jail.local
Add the following lines to the bottom of the file.
[sshd]
enabled = true
port = <22 or your random port number>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
# whitelisted IP addresses
ignoreip = <list of whitelisted IP address, your local daily laptop/pc>
Save/close file.
Restart fail2ban for settings to take effect.
sudo systemctl restart fail2ban
🐻 Optional: Disable root account
System admins should not frequently log in as root in order to maintain server security. Instead, you can use sudo execute that require low-level privileges.
# To disable the root account, simply use the -l option.
sudo passwd -l root
# If for some valid reason you need to re-enable the account, simply use the -u option.
sudo passwd -u root
🛠️ Optional: Setup Two Factor Authentication for SSH
sudo apt install libpam-google-authenticator -y
To make SSH use the Google Authenticator PAM module, edit the /etc/pam.d/sshd
file:
sudo nano /etc/pam.d/sshd
Add the following line:
auth required pam_google_authenticator.so
Now you need to restart the sshd
daemon using:
sudo systemctl restart sshd.service
Modify /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config
Locate ChallengeResponseAuthentication and update to yes
ChallengeResponseAuthentication yes
Locate UsePAM and update to yes
UsePAM yes
Save the file and exit.
Run the google-authenticator command.
google-authenticator
It will ask you a series of questions, here is a recommended configuration:
Make tokens “time-base”": yes
Update the
.google_authenticator
file: yesDisallow multiple uses: yes
Increase the original generation time limit: no
Enable rate-limiting: yes
You may have noticed the giant QR code that appeared during the process, underneath are your emergency scratch codes to be used if you don’t have access to your phone: write them down on paper and keep them in a safe place.
Now, open Google Authenticator on your phone and add your secret key to make two factor authentication work.
Note: If you are enabling 2FA on a remote machine that you access over SSH you need to follow steps 2 and 3 of this tutorial to make 2FA work.
🧩 Optional: Secure Shared Memory
One exceptional case
There may be a reason for you needing to have that memory space mounted in read/write mode (such as a specific server application like DappNode that requires such access to the shared memory or standard applications like Google Chrome). In this case, use the following line for the fstab file with instructions below.
none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0
The above line will mount the shared memory with read/write access but without permission to execute programs, change the UID of running programs, or to create block or character devices in the namespace. This a net security improvement over default settings.
Use with caution
With some trial and error, you may discover some applications(like DappNode) do not work with shared memory in read-only mode. For the highest security and if compatible with your applications, it is a worthwhile endeavor to implement this secure shared memory setting.
Source: techrepublic.com
Edit /etc/fstab
sudo nano /etc/fstab
Insert the following line to the bottom of the file and save/close. This sets shared memory into read-only mode.
tmpfs /run/shm tmpfs ro,noexec,nosuid 0 0
Reboot the node in order for changes to take effect.
sudo reboot
👩🚀 Optional: Use system user accounts - Principle of Least Privilege [Advanced Users]
# creates system user account for eth1 service
sudo adduser --system --no-create-home eth1
# creates system user account for validator service
sudo adduser --system --no-create-home validator
# creates system user account for beacon-chain service
sudo adduser --system --no-create-home beacon-chain
# creates system user account for slasher
sudo adduser --system --no-create-home slasher
🔥 Caveats For Advanced Users
If you decide to use system user accounts, remember to replace the systemd unit files with the corresponding users.
# Example of beacon-chain.service unit file
User = beacon-chain
Furthermore, ensure the correct file ownership is assigned to your system user account where applicable.
# Example of prysm validator's password file
sudo chown validator:validator -R $HOME/.eth2validators/validators-password.txt
✨ Additional validator node best practices
Networking
Assign static internal IPs to both your validator node and daily laptop/PC. This is useful in conjunction with ufw and Fail2ban's whitelisting feature. Typically, this can be configured in your router's settings. Consult your router's manual for instructions.
Power Outage
In case of power outage, you want your validator machine to restart as soon as power is available. In the BIOS settings, change the Restore on AC / Power Loss or After Power Loss setting to always on. Better yet, install an Uninterruptable Power Supply (UPS).
Clear the bash history
When pressing the up-arrow key, you can see prior commands which may contain sensitive data. To clear this, run the following:
shred -u ~/.bash_history && touch ~/.bash_history
🚀 References
https://gist.github.com/lokhman/cc716d2e2d373dd696b2d9264c0287a3#file-ubuntu-hardening-md
Last updated