Security Best Practices for your ETH staking validator node
Quick steps to secure your node.
Last updated
Quick steps to secure your node.
Last updated
Completing this guide will provide a solid baseline to protect and secure your staking node.
Ubuntu Server or Ubuntu Desktop installed on a local computer. Bonus points for increasing decentralization of Ethereum and not relying on cloud providers.
a SSH client or terminal window access
In case you need a SSH client for your operating system, refer to:
If you're using Ubuntu Desktop then you're likely currently on your staking node. Simply open a terminal window from anywhere by typing Ctrl+Alt+T.
Otherwise, begin by connecting to Ubuntu Server with your SSH client.
Create a new user called ethereum
Set the password for ethereum user
Add ethereum to the sudo group
If you're using Ubuntu Desktop locally, you can skip this section.
The basic rules of hardening SSH are:
No password for SSH access (use private key)
Don't allow root to SSH (the appropriate users should SSH in, then su
or sudo
)
Use sudo
for users so commands are logged
Log unauthorized login attempts (and consider software to block/ban users who try to access your server too many times, like fail2ban)
Lock down SSH to only the ip range your require (if you feel like it)
Create a new SSH key pair on your local machine. Run this on your local machine. You will be asked to type a file name in which to save the key. This will be your keyname.
Your SSH key pair is stored in your home directory. For example, if your keyname was mySSHkey, then your private SSH key is mySSHkey
and your public SSH key is mySSHkey.pub
IMPORTANT: Make multiple backup copies of your private SSH key file to external storage, such as a USB backup key, for recovery purposes.
Verify the contents of your private SSH key file before moving on.
It should look similar to this example.
Transfer the public key to your remote node. Replace <keyname.pub> appropriately.
Login with your new ethereum user
Disable root login and password based login. Edit the /etc/ssh/sshd_config file
Locate PubkeyAuthentication and update to yes. Delete the #, if needed.
Locate PasswordAuthentication and update to no
Locate PermitRootLogin and update to prohibit-password
Locate PermitEmptyPasswords and update to no
Optional: Locate Port and customize it your random port.
A valid random port # ranges from 1024 thru 49141.
Check that the port is not already used by other services. Replace <port> with your random port #.
Empty response means the port is good.
A response with red numbers means the port is already used. Choose another port.
Validate the syntax of your new SSH configuration.
If no errors with the syntax validation, restart the SSH process
Verify the login still works
Optional: Make logging in easier by updating your local ssh config.
To simplify the ssh command needed to log in to your server, consider updating your local $HOME/.ssh/config
file:
This will allow you to log in with ssh ethereum-server
rather than needing to pass through all ssh parameters explicitly.
It's critically important to keep your system up-to-date with the latest patches to prevent intruders from accessing your system.
Enable automatic updates so you don't have to manually install them.
Reboot your system to enable the upgrades.
The standard UFW firewall can be used to control network access to your node.
With any new installation, ufw is disabled by default. Enable it with the following settings.
If you used a custom random SSH port, replace "22" with your actual port #.
Confirm the settings are in effect.
Example of properly configured ufw status for Lighthouse.
Port Forwarding Tip: You'll need to forward and open ports to your validator.
Verify port forwarding is working with
As an example, for Lighthouse, you would verify ports 9000 and 30303 are reachable.
For advice on configuring port forwarding with routers, refer to this general port forwarding guide.
[ Optional ] Whitelisting, which means permitting connections from a specific IP, can be setup via the following command.
Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.
Edit a config file that monitors SSH logins.
Add the following lines to the bottom of the file.
Save/close file.
Restart fail2ban for settings to take effect.
System admins should not frequently log in as root in order to maintain server security. Instead, you can use sudo execute that require low-level privileges.
SSH, the secure shell, is often used to access remote Linux systems. Because we often use it to connect with computers containing important data, it’s recommended to add another security layer. Here comes the two factor authentication (2FA).
To make SSH use the Google Authenticator PAM module, edit the /etc/pam.d/sshd
file:
Add the following line:
Now you need to restart the sshd
daemon using:
Modify /etc/ssh/sshd_config
Locate ChallengeResponseAuthentication and update to yes
Locate UsePAM and update to yes
Save the file and exit.
Run the google-authenticator command.
It will ask you a series of questions, here is a recommended configuration:
Make tokens “time-base”": yes
Update the .google_authenticator
file: yes
Disallow multiple uses: yes
Increase the original generation time limit: no
Enable rate-limiting: yes
You may have noticed the giant QR code that appeared during the process, underneath are your emergency scratch codes to be used if you don’t have access to your phone: write them down on paper and keep them in a safe place.
Now, open Google Authenticator on your phone and add your secret key to make two factor authentication work.
Note: If you are enabling 2FA on a remote machine that you access over SSH you need to follow steps 2 and 3 of this tutorial to make 2FA work.
One of the first things you should do is secure the shared memory used on the system. If you're unaware, shared memory can be used in an attack against a running service. Because of this, secure that portion of system memory.
To learn more about secure shared memory, read this techrepublic.com article.
One exceptional case
There may be a reason for you needing to have that memory space mounted in read/write mode (such as a specific server application like DappNode that requires such access to the shared memory or standard applications like Google Chrome). In this case, use the following line for the fstab file with instructions below.
The above line will mount the shared memory with read/write access but without permission to execute programs, change the UID of running programs, or to create block or character devices in the namespace. This a net security improvement over default settings.
Use with caution
With some trial and error, you may discover some applications(like DappNode) do not work with shared memory in read-only mode. For the highest security and if compatible with your applications, it is a worthwhile endeavor to implement this secure shared memory setting.
Source: techrepublic.com
Edit /etc/fstab
Insert the following line to the bottom of the file and save/close. This sets shared memory into read-only mode.
Reboot the node in order for changes to take effect.
Recommended for Advanced Users Only
Principle of Least Privilege: Each eth2 process is assigned a system user account and runs under the least amount of privileges required in order to function. This best practice protects against a scenario where a vulnerability or exploit discovered in a specific process might enable access other system processes.
If you decide to use system user accounts, remember to replace the systemd unit files with the corresponding users.
Furthermore, ensure the correct file ownership is assigned to your system user account where applicable.
https://gist.github.com/lokhman/cc716d2e2d373dd696b2d9264c0287a3#file-ubuntu-hardening-md
Whitelisting IP address tip: The ignoreip
parameter accepts IP addresses, IP ranges or DNS hosts that you can specify to be allowed to connect. This is where you want to specify your local machine, local IP range or local domain, separated by spaces.
Caveats For Advanced Users