CoinCashew
English
English
  • Home
  • About Us
  • Donations
  • Contributing
    • Contributor Covenant Code of Conduct
    • Style Guide
  • Disclaimer
  • Wallets
    • Guide: Crypto Wallet Tips 101 - Do's and Don'ts
      • Review: Metal Bitcoin Seed Storage by jlopp
  • Coins
    • Ethereum: ETH
      • đŸ›Ąī¸EthPillar: one-liner setup tool and node management TUI
      • đŸĨŠGuide | How to setup a validator for Ethereum staking on mainnet
        • Overview - Manual Installation
        • PART I - INSTALLATION
          • Step 1: Prerequisites
          • Step 2: Configuring Node
          • Step 3: Installing execution client
            • Nethermind
            • Besu
            • Geth
            • Erigon
            • Reth
          • Step 4: Installing consensus client
            • Lighthouse
            • Lodestar
            • Teku
            • Nimbus
            • Prysm
          • Step 5: Installing Validator
            • Setting up Validator Keys
            • Installing Validator
              • Lighthouse
              • Lodestar
              • Teku
              • Nimbus
              • Prysm
            • Next Steps
          • Monitoring your validator with Grafana and Prometheus
          • Mobile App Node Monitoring by beaconcha.in
          • Monitoring with Uptime Check by Google Cloud
        • PART II - MAINTENANCE
          • Updating Execution Client
          • Updating Consensus Client
          • Backups Checklist: Critical Staking Node Data
          • Uninstalling Staking Node
          • Finding the longest attestation slot gap
          • Checking my eth validator's sync committee duties
          • Checklist | Confirming a healthy functional ETH staking node
        • PART III - TIPS
          • Voluntary Exiting a Validator
          • Verifying Your Mnemonic Phrase
          • Adding a New Validator to an Existing Setup with Existing Seed Words
          • Switching / Migrating Consensus Client
          • đŸ›Ąī¸Switching / Migrating Execution Client
          • ⚡Using Node as RPC URL endpoint
          • Using All Available LVM Disk Space
          • Reducing Network Bandwidth Usage
          • How to re-sync using checkpoint sync
          • Important Directory Locations
          • Improving Validator Attestation Effectiveness
          • EIP2333 Key Generator by iancoleman.io
          • 😁Geth - Enabling path-based state storage
          • Disk Usage by Execution / Consensus Client
          • Dealing with Storage Issues on the Execution Client
        • Join the Community
        • Credits
        • See Also
        • Changelog
      • 🌠Guide | How to setup a validator for Ethereum staking on testnet HOODI
        • Overview - Manual Installation
        • Step 1: Prerequisites
        • Step 2: Configuring Node
        • Step 3: Installing execution client
          • Nethermind
          • Besu
          • Geth
          • Erigon
          • Reth
        • Step 4: Installing consensus client
          • Lighthouse
          • Lodestar
          • Teku
          • Nimbus
          • Prysm
        • Step 5: Installing Validator
          • Setting up Validator Keys
          • Installing Validator
            • Lighthouse
            • Lodestar
            • Teku
            • Nimbus
            • Prysm
          • Next Steps
        • Maintenance
          • Updating Execution Client
          • Updating Consensus Client
          • Backups Checklist: Critical Staking Node Data
          • Uninstalling Staking Node
      • â›“ī¸Guide | How to setup a validator for Ethereum staking on testnet HOLESKY
        • Overview - Manual Installation
        • Step 1: Prerequisites
        • Step 2: Configuring Node
        • Step 3: Installing execution client
          • Nethermind
          • Besu
          • Geth
          • Erigon
          • Reth
        • Step 4: Installing consensus client
          • Lighthouse
          • Lodestar
          • Teku
          • Nimbus
          • Prysm
        • Step 5: Installing Validator
          • Setting up Validator Keys
          • Installing Validator
            • Lighthouse
            • Lodestar
            • Teku
            • Nimbus
            • Prysm
          • Next Steps
        • Maintenance
          • Updating Execution Client
          • Updating Consensus Client
          • Backups Checklist: Critical Staking Node Data
          • Uninstalling Staking Node
      • 💰Guide | MEV-boost for Ethereum Staking
        • MEV Relay List
      • 🔎Guide | Recover Ethereum Validator Mnemonic Seed
      • đŸĻ‰Update Withdrawal Keys for Ethereum Validator (BLS to Execution Change or 0x00 to 0x01) with ETHDO
      • 📜Archived Guides
        • Guide Version 1 | How to setup a validator for Ethereum staking on MAINNET
          • PART I - INSTALLATION
            • Step 1: Prerequisites
            • Step 2: Configuring Node
            • Step 3: Setting up Validator Keys
            • Step 4: Installing execution client
            • Step 5: Installing consensus client
            • Monitoring your validator with Grafana and Prometheus
            • Mobile App Node Monitoring by beaconcha.in
            • Security Best Practices for your ETH staking validator node
            • Synchronizing time with Chrony
            • Monitoring with Uptime Check by Google Cloud
          • PART II - MAINTENANCE
            • Updating your consensus client
            • Updating your execution client
            • Uninstalling V1 Staking Node
            • Finding the longest attestation slot gap
            • Checking my eth validator's sync committee duties
            • Pruning the execution client to free up disk space
            • Checklist | Confirming a healthy functional ETH staking node
          • PART III - TIPS
            • đŸ›Ąī¸Switching / Migrating Execution Client
            • Voluntary Exiting a Validator
            • Verifying Your Mnemonic Phrase
            • Adding a New Validator to an Existing Setup with Existing Seed Words
            • Switching / Migrating Consensus Client
            • Using All Available LVM Disk Space
            • Reducing Network Bandwidth Usage
            • How to re-sync using checkpoint sync
            • Important Directory Locations
            • Hosting Execution client on a Different Machine
            • Adding or Changing Graffiti flag
            • Improving Validator Attestation Effectiveness
            • EIP2333 Key Generator by iancoleman.io
            • Disk Usage by Execution / Consensus Client
            • Dealing with Storage Issues on the Execution Client
          • Join the Community
          • Credits
          • See Also
          • Changelog
        • Guide Version 1 | How to setup a validator for Ethereum staking on testnet GOERLI
          • Step 1: Prerequisites
          • Step 2: Configuring Node
          • Step 3: Setting up Validator Keys
          • Step 4: Installing execution client
          • Step 5: Installing consensus client
        • Guide Version 2 | How to setup a validator for Ethereum staking on testnet GOERLI
          • Step 1: Prerequisites
          • Step 2: Configuring Node
          • Step 3: Installing execution client
            • Nethermind
            • Besu
            • Geth
            • Erigon
          • Step 4: Installing consensus client
            • Lighthouse
            • Lodestar
            • Teku
            • Nimbus
            • Prysm
          • Step 5: Installing Validator
            • Setting up Validator Keys
            • Installing Validator
              • Lighthouse
              • Lodestar
              • Teku
              • Nimbus
              • Prysm
            • Next Steps
          • Maintenance
            • Updating Execution Client
            • Updating Consensus Client
            • Backups Checklist: Critical Staking Node Data
            • Uninstalling Staking Node
        • Guide | Ethereum Staking on Zhejiang Testnet
        • Guide | Besu + Lodestar | Most Viable Diverse Client | Staking Ethereum on Kiln testnet
        • Guide | How to setup a validator for Ethereum staking on Pithos testnet in 10 minutes or less
        • Ethereum Merge Upgrade Checklist for Home Stakers and Validators
        • Guide | Operation Client Diversity: Migrate Prysm to Teku
      • Guide: How to buy ETH
    • Cardano: ADA
      • Guide: How to Set Up a Cardano Stake Pool
        • Benefits of Operating a Cardano Stake Pool
        • PART I - INSTALLATION
          • Prerequisites
          • Hardening an Ubuntu Server
          • Setting Up chrony
          • Installing the Glasgow Haskell Compiler and Cabal
          • Compiling Cardano Node
        • PART II - CONFIGURATION
          • Downloading Configuration Files
          • Configuring Topology
          • Configuring an Air-gapped, Offline Computer
          • Creating Startup Scripts and Services
        • PART III - OPERATION
          • Starting the Nodes
          • Accessing Built-in Help
          • Generating Keys for the Block-producing Node
          • Setting Up Payment and Stake Keys
          • Registering Your Stake Address
          • Registering Your Stake Pool
          • Verifying Stake Pool Operation
          • Setting Up Dashboards
          • Configuring Slot Leader Calculations
          • Securing Your Stake Pool Using a Hardware Wallet
          • Setting up a Mithril Signer
        • PART IV - ADMINISTRATION & MAINTENANCE
          • Checking Stake Pool Rewards
          • Claiming Stake Pool Rewards
          • Delegating to a Stake Pool
          • Delegating to a Representative
          • Issuing a New Operational Certificate
          • Updating Stake Pool Information
          • Upgrading a Node
          • Retiring Your Stake Pool
          • Auditing Your nodes configuration
          • KES Key Rotation / Operational Certificate Companion Script
        • PART V - TIPS
          • Submitting a Simple Transaction
          • Transferring Files Using SSH
          • Updating Configuration Files
          • Implementing Peer Sharing
          • Uploading Pool Metadata to GitHub Pages
          • Obtaining a PoolTool API Key
          • Configuring Glasgow Haskell Compiler Runtime System Options
          • Reducing Missed Slot Leader Checks and Improving Cardano Node Performance
          • Increasing Swap File Size
          • Setting Up an External Passive Relay Node
          • Setting Up WireGuard
          • Monitoring Node Security Using OSSEC Server and Slack
          • Resetting an Installation
          • Fixing a Corrupt Blockchain
          • Verifying an ITN Stake Pool
          • Fixing the Mnemonic Staking Balance Bug
        • Appendix A - Best Practices Checklist
        • Appendix B - Cardano Resource Index
        • Discord Chat Channel
        • See Also
        • Credits
      • Guide: How to buy ADA
      • Guide: How to stake ADA
    • Monero: XMR
      • Guide | How to run your own Monero node
      • Guide: How to mine Monero
      • Create a XMR paper wallet
      • External Reading Material
        • Movie: Monero Means Money
        • Guide: Zero to Monero
        • Book: Mastering Monero
Powered by GitBook
On this page
  • Node Configuration
  • Logging to the node
  • Updating the node
  • Security Configuration
  • Create a non-root user with sudo privileges
  • Hardening SSH Access
  • Synchronizing time with Chrony
  • Setting Timezone
  • Creating the jwtsecret file
  • Network Configuration
  • Configure UFW Defaults
  • Configure SSH Port 22
  • Allow Execution Client Port 30303
  • Allow Consensus Client port
  • Enable firewall
  • Install Fail2ban
Edit on GitHub
  1. Coins
  2. Ethereum: ETH
  3. Archived Guides
  4. Guide Version 2 | How to setup a validator for Ethereum staking on testnet GOERLI

Step 2: Configuring Node

PreviousStep 1: PrerequisitesNextStep 3: Installing execution client

Last updated 1 year ago

Node Configuration

Logging to the node

Using Ubuntu Server: Begin by connecting with your SSH client.

ssh username@staking.node.ip.address

Using Ubuntu Desktop: You're likely in-front of your local node. Simply open a terminal window from anywhere by typing Ctrl+Alt+T.

Updating the node

Ensure all the latest packages, tools and patches are installed first, then reboot.

sudo apt-get update -y && sudo apt dist-upgrade -y
sudo apt-get install git ufw curl ccze jq -y
sudo apt-get autoremove
sudo apt-get autoclean
sudo reboot

Security Configuration

Create a non-root user with sudo privileges

Creating a user called ethereum

Create a new user called ethereum

sudo useradd -m -s /bin/bash ethereum

Set the password for ethereum user

sudo passwd ethereum

Add ethereum to the sudo group

sudo usermod -aG sudo ethereum

Log out and log back in as this new user.

Using Ubuntu Server: Use the following commands.

exit
ssh ethereum@staking.node.ip.address

Using Ubuntu Desktop: Log out can be found in the top right corner under the Power Icon. Click the ethereum user account and enter password.

Hardening SSH Access

Local node? You can skip this section on Hardening SSH Access.

Creating a new SSH Key

Create a new SSH key pair on your client machine (i.e. local laptop). Run this on your client machine, not remote node. Update the comment with your email or a comment.

ssh-keygen -t ed25519 -C "name@email.com"

You'll see this next:

Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/<myUserName>/.ssh/id_ed25519):

Here you're asked to type a file name in which to save the SSH private key. If you press enter, you can use the default file name id_ed25519

Next, you're prompted to enter a passphrase.

Enter passphrase (empty for no passphrase):

Location: Your SSH key pair is stored in your home directory under ~/.ssh

File name: If your default keyname isid_ed25519, then

  • your private SSH key is id_ed25519

  • your public SSH key is id_ed25519.pub

Verify the contents of your private SSH key file before moving on.

cat ~/.ssh/id_ed25519

It should look similar to this example.

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBAblzWLb7/0o62FZf9YjLPCV4qFhbqiSH3TBvZXBiYNgAAAJCWunkulrp5
LgAAAAtzc2gtZWQyNTUxOQAAACBAblzWLb7/0o62FZf9YjLPCV4qFhbqiSH3TBvZXBiYNg
AAAEAxT+yCmifGWgbFnkauf0HyOAJANhYY5EElEX8fI+M4B0BuXNYtvv/SjrYVl/1iMs8J
XioWFuqJIfdMG9lcGJg2AAAACWV0aDJAZXRoMgECAwQ=
-----END OPENSSH PRIVATE KEY-----

Transferring the SSH Public Key to Remote node

Option 1: Transferring with ssh-copy-id

Works with Linux or MacOS. Use option 2 for Windows.

ssh-copy-id -i ~/.ssh/id_ed25519 ethereum@staking.node.ip.address
Option 2: Copying the key manually

First, begin by obtaining your SSH Public key.

For Linux/Mac,

cat ~/.ssh/id_ed25519.pub

For Windows,

Open a command prompt (Windows Key + R, then cmd, finally press enter).

type %USERPROFILE%\.ssh\id_ed25519.pub

The output will look similar to the following:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAoc78lv+XDh2znunKXUF/9zBNJrM4Nh67yut9RN14SX name@email.com

Copy into your clipboard this output, also known as your public SSH key.

On your remote node, run the following:

mkdir -p ~/.ssh
nano ~/.ssh/authorized_keys

First, a directory called .ssh is created, then Nano is a text editor for editing a special file called authorized_keys

With nano opening the authorized_keys file, right-click your mouse to paste your public SSH key into this file.

To exit and save, press Ctrl + X, then Y, thenEnter.

Verify your public SSH key was properly pasted into the file.

cat ~/.ssh/authorized_keys

Disabling Password Authentication

Disabling root login and password based login

Login via ssh with your new ethereum user

ssh ethereum@staking.node.ip.address

Edit the ssh configuration file

sudo nano /etc/ssh/sshd_config

Locate PubkeyAuthentication and update to yes. Delete the # in front.

PubkeyAuthentication yes

Locate PasswordAuthentication and update to no. Delete the # in front.

PasswordAuthentication no

Locate PermitRootLogin and update to prohibit-password. Delete the # in front.

PermitRootLogin prohibit-password

Locate PermitEmptyPasswords and update to no. Delete the # in front.

PermitEmptyPassword no

To exit and save, press Ctrl + X, then Y, thenEnter.

Validate the syntax of your new SSH configuration.

sudo sshd -t

If no errors with the syntax validation, restart the SSH process.

sudo systemctl restart sshd

Verify the login still works.

ssh ethereum@staking.node.ip.address

Optional: Make logging in easier by updating your local ssh config.

To simplify the ssh command needed to log in to your server, consider updating on your local client machine the $HOME/myUserName/.ssh/config file:

Host ethereum-server
  User ethereum
  HostName <staking.node.ip.address>
  Port 22

This will allow you to log in with ssh ethereum-server rather than needing to pass through all ssh parameters explicitly.

Synchronizing time with Chrony

chrony is an implementation of the Network Time Protocol and helps to keep your computer's time synchronized with NTP.

Because the consensus client relies on accurate times to perform attestations and produce blocks, your node's time must be accurate to real NTP time within 0.5 seconds.

To install chrony:

sudo apt-get install chrony -y

To see the source of synchronization data.

chronyc sources

To view the current status of chrony.

chronyc tracking

Setting Timezone

To pick your timezone run the following command:

sudo dpkg-reconfigure tzdata

Find your region using the simple text-based GUI.

In the event that you are using national system like India's IST select:

Asia/Kolkata

This will be appropriate for all locales in the country (IST, GMT+0530).

Creating the jwtsecret file

A jwtsecret file contains a hexadecimal string that is passed to both Execution Layer client and Consensus Layer clients, and is used to ensure authenticated communications between both clients.

#store the jwtsecret file at /secrets
sudo mkdir -p /secrets

#create the jwtsecret file
openssl rand -hex 32 | tr -d "\n" | sudo tee /secrets/jwtsecret

#enable read access
sudo chmod 644 /secrets/jwtsecret

The standard UFW - Uncomplicated firewall can be used to control network access to your node and protect against unwelcome intruders.

Configure UFW Defaults

By default, deny all incoming traffic and allow outgoing traffic.

sudo ufw default deny incoming
sudo ufw default allow outgoing

Configure SSH Port 22

If your node is remote in the cloud, or at home but on a different headless server, you will need to enable SSH port 22 in order to connect.

# Allow ssh access for remote node
sudo ufw allow 22/tcp comment 'Allow SSH port'

If your node is local at home and you have keyboard access to it, it's good practice to deny SSH port 22.

# Deny ssh access for local node
sudo ufw deny 22/tcp comment 'Deny SSH port'

Allow Execution Client Port 30303

Peering on port 30303, execution clients use this port for communication with other network peers.

sudo ufw allow 30303 comment 'Allow execution client port'

Allow Consensus Client port

Consensus clients generally use port 9000 for communication with other network peers. Using tcp port 13000 and udp port 12000, Prysm uses a slightly different configuration.

# Lighthouse, Lodestar, Nimbus, Teku
sudo ufw allow 9000 comment 'Allow consensus client port'

# Prysm
sudo ufw allow 13000/tcp comment 'Allow consensus client port'
sudo ufw allow 12000/udp comment 'Allow consensus client port'

Enable firewall

Finally, enable the firewall and review the configuration.

sudo ufw enable
sudo ufw status numbered 

Example of ufw status for a remote staking node configured for Lighthouse consensus client.

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 9000                       ALLOW IN    Anywhere
[ 3] 30303                      ALLOW IN    Anywhere
[ 4] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 5] 9000 (v6)                  ALLOW IN    Anywhere (v6)
[ 6] 30303 (v6)                 ALLOW IN    Anywhere (v6)

Port Forwarding Tip for Local Stakers at Home: You'll need to forward ports to your validator.

Verify port forwarding is working with the following.

Option 1: From the terminal on staking machine. Choose accordingly to your clients.

# Lighthouse, Lodestar, Nimbus, Teku
curl https://eth2-client-port-checker.vercel.app/api/checker?ports=30303,9000

# Prysm
curl https://eth2-client-port-checker.vercel.app/api/checker?ports=30303,12000,13000

Result: Open ports will be shown if reachable from public.

Option 2: Using the browser

As an example, for Lighthouse, you would verify ports 9000 and 30303 are reachable.

Optional: Whitelisting Connections

Whitelisting, which means permitting connections from a specific IP, can be setup via the following command.

sudo ufw allow from <your client machine>
# Example
# sudo ufw allow from 192.168.50.22

Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.

To install fail2ban:

sudo apt-get install fail2ban -y

Edit a config file that monitors SSH logins.

sudo nano /etc/fail2ban/jail.local

Add the following lines to the bottom of the file.

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

To exit and save, press Ctrl + X, then Y, thenEnter.

Restart fail2ban for settings to take effect.

sudo systemctl restart fail2ban

Important reminder: Ensure you are logged in and execute all steps in this guide as this non-root user, ethereum.

A passphrase adds an extra layer of protection to your SSH private key. Everytime you connect via SSH to your remote node, enter this passphrase to unlock your SSH private key.

Passphrase is highly recommended! Do not leave this empty for no passphrase.

Do not forget or lose your passphrase. Save this to a password manager.

IMPORTANT: Make multiple backup copies of your private SSH key file to external storage, such as a USB backup key, for recovery purposes. Also backup your passphrase!

With SSH key authentication enabled, there's still the possibility to connect to your remote node with login and password, a much less secure and brute force-able attack vector.

Network Configuration

For optimal connectivity, ensure Port Forwarding is setup for your router. Learn to port forward with guides found at

or

Install Fail2ban

📜
âš’ī¸
🔑
đŸ”Ĩ
â„šī¸
đŸ”Ĩ
💡
đŸ”Ĩ
â„šī¸
🔗
â›“ī¸
https://portforward.com/how-to-port-forward
https://www.yougetsignal.com/tools/open-ports/
https://canyouseeme.org