Edit

Step 2: Configuring Node

βš’οΈ Node Configuration

Logging to the node

Using Ubuntu Server: Begin by connecting with your SSH client.

ssh [email protected]

Using Ubuntu Desktop: You're likely in-front of your local node. Simply open a terminal window from anywhere by typing Ctrl+Alt+T.

Updating the node

Ensure all the latest packages, tools and patches are installed first, then reboot.

sudo apt-get update -y && sudo apt dist-upgrade -y
sudo apt-get install git ufw curl ccze jq -y
sudo apt-get autoremove
sudo apt-get autoclean
sudo reboot

πŸ”‘ Security Configuration

Create a non-root user with sudo privileges

Creating a user called ethereum

Create a new user called ethereum

Set the password for ethereum user

Add ethereum to the sudo group

Log out and log back in as this new user.

Using Ubuntu Server: Use the following commands.

Using Ubuntu Desktop: Log out can be found in the top right corner under the Power Icon. Click the ethereum user account and enter password.

πŸ”₯Important reminder: Ensure you are logged in and execute all steps in this guide as this non-root user, ethereum.

Hardening SSH Access

Local node? You can skip this section on Hardening SSH Access.

Creating a new SSH Key

Create a new SSH key pair on your client machine (i.e. local laptop). Run this on your client machine, not remote node. Update the comment with your email or a comment.

You'll see this next:

Here you're asked to type a file name in which to save the SSH private key. If you press enter, you can use the default file name id_ed25519

Next, you're prompted to enter a passphrase.

ℹ️ A passphrase adds an extra layer of protection to your SSH private key. Everytime you connect via SSH to your remote node, enter this passphrase to unlock your SSH private key.

πŸ”₯ Passphrase is highly recommended! Do not leave this empty for no passphrase.

πŸ’‘Do not forget or lose your passphrase. Save this to a password manager.

Location: Your SSH key pair is stored in your home directory under ~/.ssh

File name: If your default keyname isid_ed25519, then

  • your private SSH key is id_ed25519

  • your public SSH key is id_ed25519.pub

πŸ”₯ IMPORTANT: Make multiple backup copies of your private SSH key file to external storage, such as a USB backup key, for recovery purposes. Also backup your passphrase!

Verify the contents of your private SSH key file before moving on.

It should look similar to this example.

Transferring the SSH Public Key to Remote node

Option 1: Transferring with ssh-copy-id

Works with Linux or MacOS. Use option 2 for Windows.

Option 2: Copying the key manually

First, begin by obtaining your SSH Public key.

For Linux/Mac,

For Windows,

Open a command prompt (Windows Key + R, then cmd, finally press enter).

The output will look similar to the following:

Copy into your clipboard this output, also known as your public SSH key.

On your remote node, run the following:

First, a directory called .ssh is created, then Nano is a text editor for editing a special file called authorized_keys

With nano opening the authorized_keys file, right-click your mouse to paste your public SSH key into this file.

To exit and save, press Ctrl + X, then Y, thenEnter.

Verify your public SSH key was properly pasted into the file.

Disabling Password Authentication

Disabling root login and password based login

ℹ️ With SSH key authentication enabled, there's still the possibility to connect to your remote node with login and password, a much less secure and brute force-able attack vector.

Login via ssh with your new ethereum user

Edit the ssh configuration file

Locate PubkeyAuthentication and update to yes. Delete the # in front.

Locate PasswordAuthentication and update to no. Delete the # in front.

Locate PermitRootLogin and update to prohibit-password. Delete the # in front.

Locate PermitEmptyPasswords and update to no. Delete the # in front.

To exit and save, press Ctrl + X, then Y, thenEnter.

Validate the syntax of your new SSH configuration.

If no errors with the syntax validation, restart the SSH process.

Verify the login still works.

Optional: Make logging in easier by updating your local ssh config.

To simplify the ssh command needed to log in to your server, consider updating on your local client machine the $HOME/myUserName/.ssh/config file:

This will allow you to log in with ssh ethereum-server rather than needing to pass through all ssh parameters explicitly.

Synchronizing time with Chrony

chrony is an implementation of the Network Time Protocol and helps to keep your computer's time synchronized with NTP.

Because the consensus client relies on accurate times to perform attestations and produce blocks, your node's time must be accurate to real NTP time within 0.5 seconds.

To install chrony:

To see the source of synchronization data.

To view the current status of chrony.

Setting Timezone

To pick your timezone run the following command:

Find your region using the simple text-based GUI.

In the event that you are using national system like India's IST select:

This will be appropriate for all locales in the country (IST, GMT+0530).

Creating the jwtsecret file

A jwtsecret file contains a hexadecimal string that is passed to both Execution Layer client and Consensus Layer clients, and is used to ensure authenticated communications between both clients.

πŸ”— Network Configuration

The standard UFW - Uncomplicated firewall can be used to control network access to your node and protect against unwelcome intruders.

Configure UFW Defaults

By default, deny all incoming traffic and allow outgoing traffic.

Configure SSH Port 22

If your node is remote in the cloud, or at home but on a different headless server, you will need to enable SSH port 22 in order to connect.

If your node is local at home and you have keyboard access to it, it's good practice to deny SSH port 22.

Allow Execution Client Port 30303

Peering on port 30303, execution clients use this port for communication with other network peers.

Allow Consensus Client port

Consensus clients generally use port 9000 for communication with other network peers. Using tcp port 13000 and udp port 12000, Prysm uses a slightly different configuration.

Enable firewall

Finally, enable the firewall and review the configuration.

Example of ufw status for a remote staking node configured for Prysm consensus client.

Configure Port Forwarding

Port Forwarding Tip for Local Stakers at Home: You'll need to forward ports to your validator.

For optimal connectivity, ensure Port Forwarding is setup for your router. Learn to port forward with guides found at https://portforward.com/how-to-port-forward

Verify port forwarding is working with the following.

Option 1: From the terminal on staking machine. Choose accordingly to your clients.

Result: Open ports will be shown if reachable from public.

Option 2: Using the browser

As an example, for Lighthouse, you would verify ports 9000 and 30303 are reachable.

Optional: Whitelisting Connections

Whitelisting, which means permitting connections from a specific IP, can be setup via the following command.

⛓️ Install Fail2ban

Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.

To install fail2ban:

Edit a config file that monitors SSH logins.

Add the following lines to the bottom of the file.

To exit and save, press Ctrl + X, then Y, thenEnter.

Restart fail2ban for settings to take effect.

PreviousStep 1: PrerequisitesNextStep 3: Installing execution client

Last updated