English
Guide | Security Best Practices for a ETH staking validator node
Quick steps to secure your node.
โ€‹
๐ŸŽŠ
2021-12 Gitcoin Grant Round 12: We improve this guide with your support!
โ€‹Help fund us and earn a POAP NFT. Appreciate your support!๐Ÿ™
Ethereum Staking Guides by CoinCashew *with POAP* | Grants
Ethereum Staking Guides by CoinCashew *with POAP* | Grants

โ€‹
๐Ÿค–
Pre-requisites

  • Ubuntu Server or Ubuntu Desktop installed
  • SSH server installed
  • a SSH client or terminal window access
In case you need to install SSH server, refer to:
How to install SSH server on Ubuntu
In case you need a SSH client for your operating system, refer to:
How to Connect to an SSH Server from Windows, macOS, or Linux
How-To Geek

โ€‹
๐Ÿง™โ™‚
Create a non-root user with sudo privileges

Make a habit of logging to your server using a non-root account. This will prevent the accidental deletion of files if you make a mistake. For instance, the command rm can wipe your entire server if run incorrectly using by a root user.
โ€‹
๐Ÿ”ฅ
Tip: Do NOT routinely use the root account. Use su or sudo, always.
SSH to your server with your SSH client
Copied!
Create a new user called ethereum
1
sudo useradd -m -s /bin/bash ethereum
Copied!
Set the password for ethereum user
1
sudo passwd ethereum
Copied!
Add ethereum to the sudo group
1
sudo usermod -aG sudo ethereum
Copied!

โ€‹
๐Ÿ”
Disable SSH password Authentication and Use SSH Keys only

The basic rules of hardening SSH are:
  • No password for SSH access (use private key)
  • Don't allow root to SSH (the appropriate users should SSH in, then su or sudo)
  • Use sudo for users so commands are logged
  • Log unauthorized login attempts (and consider software to block/ban users who try to access your server too many times, like fail2ban)
  • Lock down SSH to only the ip range your require (if you feel like it)
Create a new SSH key pair on your local machine. Run this on your local machine. You will be asked to type a file name in which to save the key. This will be your keyname.
Your choice of ED25519 or RSA public key algorithm.
ED25519
RSA
1
ssh-keygen -t ed25519
Copied!
1
ssh-keygen -t rsa -b 4096
Copied!
Transfer the public key to your remote node. Update keyname.pub appropriately.
1
ssh-copy-id -i $HOME/.ssh/keyname.pub [email protected]
Copied!
Login with your new ethereum user
Copied!
Disable root login and password based login. Edit the /etc/ssh/sshd_config file
1
sudo nano /etc/ssh/sshd_config
Copied!
Locate ChallengeResponseAuthentication and update to no
1
ChallengeResponseAuthentication no
Copied!
Locate PasswordAuthentication update to no
1
PasswordAuthentication no
Copied!
Locate PermitRootLogin and update to prohibit-password
1
PermitRootLogin prohibit-password
Copied!
Locate PermitEmptyPasswords and update to no
1
PermitEmptyPasswords no
Copied!
Optional: Locate Port and customize it your random port.
Use a random port # from 1024 thru 49141. Check for possible conflicts. โ€‹
1
Port <port number>
Copied!
Validate the syntax of your new SSH configuration.
1
sudo sshd -t
Copied!
If no errors with the syntax validation, restart the SSH process
1
sudo systemctl restart sshd
Copied!
Verify the login still works
Standard SSH Port 22
Custom SSH Port
Copied!
1
ssh [email protected] -p <custom port number>
Copied!
Alternatively, you might need to add the -p <port#> flag if you used a custom SSH port.
1
ssh -i <path to your SSH_key_name.pub> [email protected]
Copied!
Optional: Make logging in easier by updating your local ssh config.
To simplify the ssh command needed to log in to your server, consider updating your local $HOME/.ssh/config file:
1
Host ethereum-server
2
User ethereum
3
HostName <server.public.ip.address>
4
Port <custom port number>
Copied!
This will allow you to log in with ssh ethereum-server rather than needing to pass through all ssh parameters explicitly.

โ€‹
๐Ÿค–
Update your system

It's critically important to keep your system up-to-date with the latest patches to prevent intruders from accessing your system.
1
sudo apt-get update -y && sudo apt dist-upgrade -y
2
sudo apt-get autoremove
3
sudo apt-get autoclean
Copied!
Enable automatic updates so you don't have to manually install them.
1
sudo apt-get install unattended-upgrades
2
sudo dpkg-reconfigure -plow unattended-upgrades
Copied!

โ€‹
๐Ÿป
Disable root account

System admins should not frequently log in as root in order to maintain server security. Instead, you can use sudo execute that require low-level privileges.
1
# To disable the root account, simply use the -l option.
2
sudo passwd -l root
Copied!
1
# If for some valid reason you need to re-enable the account, simply use the -u option.
2
sudo passwd -u root
Copied!

โ€‹
๐Ÿ› 
Setup Two Factor Authentication for SSH [Optional]

SSH, the secure shell, is often used to access remote Linux systems. Because we often use it to connect with computers containing important data, itโ€™s recommended to add another security layer. Here comes the two factor authentication (2FA).
1
sudo apt install libpam-google-authenticator -y
Copied!
To make SSH use the Google Authenticator PAM module, edit the /etc/pam.d/sshd file:
1
sudo nano /etc/pam.d/sshd
Copied!
Add the following line:
1
auth required pam_google_authenticator.so
Copied!
Now you need to restart the sshd daemon using:
1
sudo systemctl restart sshd.service
Copied!
Modify /etc/ssh/sshd_config
1
sudo nano /etc/ssh/sshd_config
Copied!
Locate ChallengeResponseAuthentication and update to yes
1
ChallengeResponseAuthentication yes
Copied!
Locate UsePAM and update to yes
1
UsePAM yes
Copied!
Save the file and exit.
Run the google-authenticator command.
1
google-authenticator
Copied!
It will ask you a series of questions, here is a recommended configuration:
  • Make tokens โ€œtime-baseโ€": yes
  • Update the .google_authenticator file: yes
  • Disallow multiple uses: yes
  • Increase the original generation time limit: no
  • Enable rate-limiting: yes
You may have noticed the giant QR code that appeared during the process, underneath are your emergency scratch codes to be used if you donโ€™t have access to your phone: write them down on paper and keep them in a safe place.
Now, open Google Authenticator on your phone and add your secret key to make two factor authentication work.
Note: If you are enabling 2FA on a remote machine that you access over SSH you need to follow steps 2 and 3 of this tutorial to make 2FA work.

โ€‹
๐Ÿงฉ
Secure Shared Memory

One of the first things you should do is secure the shared memory used on the system. If you're unaware, shared memory can be used in an attack against a running service. Because of this, secure that portion of system memory.
To learn more about secure shared memory, read this techrepublic.com article.

One exceptional case

There may be a reason for you needing to have that memory space mounted in read/write mode (such as a specific server application like DappNode that requires such access to the shared memory or standard applications like Google Chrome). In this case, use the following line for the fstab file with instructions below.
1
none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0
Copied!
The above line will mount the shared memory with read/write access but without permission to execute programs, change the UID of running programs, or to create block or character devices in the namespace. This a net security improvement over default settings.

Use with caution

With some trial and error, you may discover some applications(like DappNode) do not work with shared memory in read-only mode. For the highest security and if compatible with your applications, it is a worthwhile endeavor to implement this secure shared memory setting.
Source: techrepublic.comโ€‹
Edit /etc/fstab
1
sudo nano /etc/fstab
Copied!
Insert the following line to the bottom of the file and save/close. This sets shared memory into read-only mode.
1
tmpfs /run/shm tmpfs ro,noexec,nosuid 0 0
Copied!
Reboot the node in order for changes to take effect.
1
sudo reboot
Copied!

โ€‹
โ›“
Install Fail2ban

Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.
1
sudo apt-get install fail2ban -y
Copied!
Edit a config file that monitors SSH logins.
1
sudo nano /etc/fail2ban/jail.local
Copied!
Add the following lines to the bottom of the file.
โ€‹
๐Ÿ”ฅ
Whitelisting IP address tip: The ignoreip parameter accepts IP addresses, IP ranges or DNS hosts that you can specify to be allowed to connect. This is where you want to specify your local machine, local IP range or local domain, separated by spaces.
1
# Example
2
ignoreip = 192.168.1.0/24 127.0.0.1/8
Copied!
1
[sshd]
2
enabled = true
3
port = <22 or your random port number>
4
filter = sshd
5
logpath = /var/log/auth.log
6
maxretry = 3
7
# whitelisted IP addresses
8
ignoreip = <list of whitelisted IP address, your local daily laptop/pc>
Copied!
Save/close file.
Restart fail2ban for settings to take effect.
1
sudo systemctl restart fail2ban
Copied!

โ€‹
๐Ÿงฑ
Configure your Firewall

The standard UFW firewall can be used to control network access to your node.
With any new installation, ufw is disabled by default. Enable it with the following settings.
  • Port 22 (or your random port #) TCP for SSH connection
  • Ports for p2p traffic
    • Lighthouse uses port 9000 tcp/udp
    • Teku uses port 9000 tcp/udp
    • Prysm uses port 13000 tcp and port 12000 udp
    • Nimbus uses port 9000 tcp/udp
    • Lodestar uses port 30607 tcp and port 9000 udp
  • Port 30303 tcp/udp eth1 node
Lighthouse
Prysm
Teku
Nimbus
Lodestar
1
# By default, deny all incoming and outgoing traffic
2
sudo ufw default deny incoming
3
sudo ufw default allow outgoing
4
# Allow ssh access
5
sudo ufw allow ssh #<port 22 or your random ssh port number>/tcp
6
# Allow p2p ports
7
sudo ufw allow 9000/tcp
8
sudo ufw allow 9000/udp
9
# Allow eth1 port
10
sudo ufw allow 30303/tcp
11
sudo ufw allow 30303/udp
12
# Enable firewall
13
sudo ufw enable
Copied!
1
# By default, deny all incoming and outgoing traffic
2
sudo ufw default deny incoming
3
sudo ufw default allow outgoing
4
# Allow ssh access
5
sudo ufw allow ssh #<port 22 or your random ssh port number>/tcp
6
# Allow p2p ports
7
sudo ufw allow 13000/tcp
8
sudo ufw allow 12000/udp
9
# Allow eth1 port
10
sudo ufw allow 30303/tcp
11
sudo ufw allow 30303/udp
12
# Enable firewall
13
sudo ufw enable
Copied!
1
# By default, deny all incoming and outgoing traffic
2
sudo ufw default deny incoming
3
sudo ufw default allow outgoing
4
# Allow ssh access
5
sudo ufw allow ssh #<port 22 or your random ssh port number>/tcp
6
# Allow p2p ports
7
sudo ufw allow 9000/tcp
8
sudo ufw allow 9000/udp
9
# Allow eth1 port
10
sudo ufw allow 30303/tcp
11
sudo ufw allow 30303/udp
12
# Enable firewall
13
sudo ufw enable
Copied!
1
# By default, deny all incoming and outgoing traffic
2
sudo ufw default deny incoming
3
sudo ufw default allow outgoing
4
# Allow ssh access
5
sudo ufw allow ssh #<port 22 or your random ssh port number>/tcp
6
# Allow p2p ports
7
sudo ufw allow 9000/tcp
8
sudo ufw allow 9000/udp
9
# Allow eth1 port
10
sudo ufw allow 30303/tcp
11
sudo ufw allow 30303/udp
12
# Enable firewall
13
sudo ufw enable
Copied!
1
# By default, deny all incoming and outgoing traffic
2
sudo ufw default deny incoming
3
sudo ufw default allow outgoing
4
# Allow ssh access
5
sudo ufw allow ssh #<port 22 or your random ssh port number>/tcp
6
# Allow p2p ports
7
sudo ufw allow 30607/tcp
8
sudo ufw allow 9000/udp
9
# Allow eth1 port
10
sudo ufw allow 30303/tcp
11
sudo ufw allow 30303/udp
12
# Enable firewall
13
sudo ufw enable
Copied!
1
# Verify status
2
sudo ufw status numbered
Copied!
Do not expose Grafana (port 3000) and Prometheus endpoint (port 9090) to the public internet as this invites a new attack surface! A secure solution would be to access Grafana through a ssh tunnel with Wireguard.
Only open the following ports on local home staking setups behind a home router firewall or other network firewall.
โ€‹
๐Ÿ”ฅ
It is dangerous to open these ports on a VPS/cloud node.
1
# Allow grafana web server port
2
sudo ufw allow 3000/tcp
3
# Enable prometheus endpoint port
4
sudo ufw allow 9090/tcp
Copied!
Confirm the settings are in effect.
1
# Verify status
2
sudo ufw status numbered
3
To Action From
4
-- ------ ----
5
[ 1] 22/tcp ALLOW IN Anywhere
6
# SSH
7
[ 2] 3000/tcp ALLOW IN Anywhere
8
# Grafana
9
[ 3] 9000/tcp ALLOW IN Anywhere
10
# eth2 p2p traffic
11
[ 4] 9090/tcp ALLOW IN Anywhere
12
# Prometheus
13
[ 5] 30303/tcp ALLOW IN Anywhere
14
# eth1 node
15
[ 6] 22/tcp (v6) ALLOW IN Anywhere (v6)
16
# SSH
17
[ 7] 3000/tcp (v6) ALLOW IN Anywhere (v6)
18
# Grafana
19
[ 8] 9000/tcp (v6) ALLOW IN Anywhere (v6)
20
# eth2 p2p traffic
21
[ 9] 9090/tcp (v6) ALLOW IN Anywhere (v6)
22
# Prometheus
23
[10] 30303/tcp (v6) ALLOW IN Anywhere (v6)
24
# eth1 node
Copied!
[ Optional but recommended ] Whitelisting (or permitting connections from a specific IP) can be setup via the following command.
1
sudo ufw allow from <your local daily laptop/pc>
2
# Example
3
# sudo ufw allow from 192.168.50.22
Copied!
๐ŸŽŠ
Port Forwarding Tip: You'll need to forward and open ports to your validator. Verify it's working with https://www.yougetsignal.com/tools/open-ports/ or https://canyouseeme.org/ .

โ€‹
๐Ÿ“ž
Verify Listening Ports

If you want to maintain a secure server, you should validate the listening network ports every once in a while. This will provide you essential information about your network.
1
sudo ss -tulpn
2
# Example output. Ensure the port numbers look right.
3
# Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
4
# tcp LISTEN 0 128 127.0.0.1:5052 0.0.0.0:* users:(("lighthouse",pid=12160,fd=22))
5
# tcp LISTEN 0 128 127.0.0.1:5054 0.0.0.0:* users:(("lighthouse",pid=12160,fd=23))
6
# tcp LISTEN 0 1024 0.0.0.0:9000 0.0.0.0:* users:(("lighthouse",pid=12160,fd=21))
7
# udp UNCONN 0 0 *:30303 *:* users:(("geth",pid=22117,fd=158))
8
# tcp LISTEN 0 4096 *:30303 *:* users:(("geth",pid=22117,fd=156))
Copied!
Alternatively you can use netstat
1
sudo netstat -tulpn
2
# Example output. Ensure the port numbers look right.
3
# Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
4
# tcp 0 0 127.0.0.1:5052 0.0.0.0:* LISTEN 12160/lighthouse
5
# tcp 0 0 127.0.0.1:5054 0.0.0.0:* LISTEN 12160/lighthouse
6
# tcp 0 0 0.0.0.0:9000 0.0.0.0:* LISTEN 12160/lighthouse
7
# tcp6 0 0 :::30303 :::* LISTEN 22117/geth
8
# udp6 0 0 :::30303 :::* LISTEN 22117/geth
Copied!

โ€‹
๐Ÿ‘ฉ๐Ÿš€
Use system user accounts - Principle of Least Privilege [Advanced Users / Optional]

Recommended for Advanced Users Only
Principle of Least Privilege: Each eth2 process is assigned a system user account and runs under the least amount of privileges required in order to function. This best practice protects against a scenario where a vulnerability or exploit discovered in a specific process might enable access other system processes.
1
# creates system user account for eth1 service
2
sudo adduser --system --no-create-home eth1
3
โ€‹
4
# creates system user account for validator service
5
sudo adduser --system --no-create-home validator
6
โ€‹
7
# creates system user account for beacon-chain service
8
sudo adduser --system --no-create-home beacon-chain
9
โ€‹
10
# creates system user account for slasher
11
sudo adduser --system --no-create-home slasher
Copied!
โ€‹
๐Ÿ”ฅ
Caveats For Advanced Users
If you decide to use system user accounts, remember to replace the systemd unit files with the corresponding users.
1
# Example of beacon-chain.service unit file
2
User = beacon-chain
Copied!
Furthermore, ensure the correct file ownership is assigned to your system user account where applicable.
1
# Example of prysm validator's password file
2
sudo chown validator:validator -R $HOME/.eth2validators/validators-password.txt
Copied!

โ€‹
โœจ
Additional validator node best practices

โ€‹
โ€‹
Networking
โ€‹
Assign static internal IPs to both your validator node and daily laptop/PC. This is useful in conjunction with ufw and Fail2ban's whitelisting feature. Typically, this can be configured in your router's settings. Consult your router's manual for instructions.
Power Outage
In case of power outage, you want your validator machine to restart as soon as power is available. In the BIOS settings, change the Restore on AC / Power Loss or After Power Loss setting to always on. Better yet, install an Uninterruptable Power Supply (UPS).
Clear the bash history
When pressing the up-arrow key, you can see prior commands which may contain sensitive data. To clear this, run the following:
shred -u ~/.bash_history && touch ~/.bash_history

โ€‹
๐Ÿค–
Start staking by building a validator

Visit here for our Mainnet guide and here for our Testnet guide.

Congrats on completing the guide.
โœจ
Did you find our guide useful? Send us a signal with a tip and we'll keep updating it.
It really energizes us to keep creating the best crypto guides.
Use cointr.ee to find our donation addresses.
๐Ÿ™
Any feedback and all pull requests much appreciated.
๐ŸŒ›
Hang out and chat with fellow stakers on Discord @
โ€‹
๐ŸŽŠ
2020-12 Update: Thanks to all Gitcoin contributors, where you can contribute via quadratic funding and make a big impact. Funding complete! Thank you!๐Ÿ™
Ethereum Staking Guides by CoinCashew *with POAP* | Grants
Ethereum Staking Guides by CoinCashew *with POAP* | Grants

โ€‹
๐Ÿš€
References

How to Harden your Ubuntu 18.04 Server
Medium
Ubuntu system hardening guide for desktops and servers
Linux Audit
How To Harden OpenSSH on Ubuntu 18.04 | DigitalOcean
DigitalOcean
Configure SSH to use two-factor authentication | Ubuntu
Ubuntu
How to Install and Configure Fail2ban on Ubuntu 20.04
linuxize
How to Harden Ubuntu Server 18.04 in 5 Easy Steps
Lifewire
The 50 Best Linux Hardening Security Tips: A Comprehensive Checklist
UbuntuPIT
Last modified 3d ago