Secure the Server

Security is important. This is not a comprehensive security guide, just some basic settings and options depending on your level of security tolerance and technical competencies. Completing this guide will provide a solid baseline to protect and secure your staking node.

🤖 In case you need a SSH client for your operating system, refer to: How to Connect to an SSH Server from Windows, macOS, or LinuxHow-To Geek

Disable SSH password authentication and use SSH keys only

OPTIONAL: This section is recommended for advanced users who know how to utilize RSA keypairs to securely log in to remote servers. Otherwise, skip this section and continue to the section: Modify the Default SSH Port.

Create a new SSH key pair on your local machine. Run this on your local machine. You will be asked to type a file name in which to save the key. This will be your keyname.

Generate your RSA keypair on your server.

cd ~
ssh-keygen -t rsa -b 4096

Press Enter to save the key as id_rsa.pub.

Enter a passphrase if you wish.

Transfer the keys to your remote server at $HOME/.ssh if you generated the key from another device.

NOTE: For the command below, replace <User> with your login username. Replace <serverIP> with your server’s IP address.

ssh-copy-id -i $HOME/.ssh/id_rsa.pub <User>@<serverIP>

Continue connecting if the ECDSA authenticity of the host cannot be established by using yes. Then type in your login password.

Login with your SSH key.

ssh <User>@<serverIP>

Once confirmed that it works, you can logout. Ensure you copy the necessary private key (id_rsa) to other devices you wish to login from.

Disable root login and password based login. Edit the /etc/ssh/sshd_config file.

sudo nano /etc/ssh/sshd_config

Locate ChallengeResponseAuthentication and update to no.

ChallengeResponseAuthentication no

Locate PasswordAuthentication update to no.

PasswordAuthentication no

Locate PermitRootLogin and update to prohibit-password.

PermitRootLogin prohibit-password

Locate PermitEmptyPasswords and update to no.

PermitEmptyPasswords no

Validate the syntax of your new SSH configuration.

sudo sshd -t

If no errors with the syntax validation, restart the SSH process.

sudo systemctl restart sshd

Verify the login still works.

ssh <User>@<serverIP> -p <CustomPortNumber>

Optional: To simplify the ssh command needed to log in to your server, consider updating your local $HOME/.ssh/config file:

Host lodestar-server
  User <User>
  HostName <serverIP>
  Port <Custom Port Number>

This will allow you to log in with ssh lodestar-server rather than needing to pass through all ssh parameters explicitly.

Proceed to Modify the Default SSH Port.

Modify the Default SSH Port

Port 22 is the default SSH port and a common attack vector. Change the SSH port to avoid this.

Choose a port number between 1024–49151 and run the following command and replace <YourSSHPortNumber> with the selected port number to check that it is not already in use:

sudo ss -tulpn | grep ':<YourSSHPortNumber>'

A blank response indicates not in use, a red text response indicates it is in use: try a different port. E.g. sudo ss -tulpn | grep ':6673'

If confirmed available, modify the default port by updating SSH config.

sudo nano /etc/ssh/sshd_config

Find or add (if not present) the line Port 22 in the file. Remove the # (if present) and change the value as below.

Port <YourSSHPortNumber>

Check the screen shot below for reference of Port 123 as an example. Press CTRL +x then y then Enter to save and exit.

Restart the SSH service to reflect the above changes.

sudo systemctl restart ssh

Log out and log back in via SSH using <YourSSHPortNumber> for the port.

NOTE: If you plan to use a password login for your server it is recommended that you also setup 2-Factor Authentication or skip to the section: Disable SSH password Authentication and Use SSH keys only.

Setup 2-Factor Authentication for your Server

OPTIONAL: If you would like added security on top of your password, you can setup Google Authenticator to further protect your server from unauthorized access. Otherwise, skip this section and continue to Install Fail2ban.

Install the package required for Google Authenticator.

sudo apt install libpam-google-authenticator -y

To make SSH use the Google Authenticator PAM module, you will need to edit the file located in /etc/pam.d/sshd:

sudo nano /etc/pam.d/sshd

In the configuration file, add the following line at the bottom of the file:

auth required pam_google_authenticator.so

Check the screen shot below for reference. Press CTRL + x then y then Enter to save and exit.

Now we will restart the sshd daemon with the following command:

sudo systemctl restart sshd.service

We must now modify the sshd configuration file located at /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config

We will locate the following parameters and update it to yes. Check the screen shot below for reference.

ChallengeReponseAuthentication yes

UsePAM yes

Press CTRL + x then y then Enter to save and exit.

We will now setup Google Authenticator with the following command:

google-authenticator

You will be asked a series of questions and the recommendated settings are:

• Make tokens “time-base”": yes

• Update the .google_authenticator file: yes

• Disallow multiple uses: yes

• Increase the original generation time limit: no

• Enable rate-limiting: yes

Use the screenshots below as an example reference:

WARNING: The giant QR code that appeared is a representation of your secret key used for your Google Authenticator application. This key is required to generate the proper 6 digit codes you use to verify your 2FA and log into your server. It is VERY IMPORTANT to write down your emergency scratch codes and KEEP THEM SAFE incase you lose access to your phone.

Now open Google Authenticator on your phone and add your secret key to make sure you have access to your server after inputting your password.

Proceed to Install Fail2ban.

Install Fail2ban

Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.

sudo apt-get install fail2ban -y

Edit the config file that monitors SSH logins:

sudo nano /etc/fail2ban/jail.local

Whitelisting IP address tip: The ignoreip parameter accepts IP addresses, IP ranges or DNS hosts that you can specify to be allowed to connect. This is where you want to specify your local machine, local IP range or local domain, separated by spaces.

# Example
ignoreip = 192.168.1.0/24 127.0.0.1/8

[sshd]
enabled = true
port = <22 or your random port number>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
# whitelisted IP addresses
ignoreip = <list of whitelisted IP address, your local daily laptop/pc>

Press CTRL + x then y then Enter to save and exit.

Restart fail2ban for settings to take effect.

sudo systemctl restart fail2ban

Configure the Firewall

Ubuntu 20.04 servers can use the default UFW firewall to restrict inbound traffic to the server. Before you enable it allow inbound traffic for SSH, Go Ethereum, and Lodestar.

Install UFW

UFW should be installed by default. The following command will ensure it is.

sudo apt install ufw

Apply UFW Defaults

Explicitly apply the defaults. Inbound traffic denied, outbound traffic allowed.

sudo ufw default deny incoming
sudo ufw default allow outgoing

Allow SSH

Allow inbound traffic on <YourSSHPortNumber> as set above. SSH requires the TCP protocol. E.g. sudo ufw allow 123/tcp

sudo ufw allow <YourSSHPortNumber>/tcp

Deny SSH Port 22

Deny inbound traffic on Port 22/TCP.

NOTE: Only do this after you SSH in using <YourSSHPortNumber>.

sudo ufw deny 22/tcp

Allow Go Ethereum (Geth)

Allow P2P connections with Go Ethereum peers on Port 30303.

OPTIONAL If using an Ethereum Execution Node hosted by a 3rd party, skip this step.

NOTE: If you are hosting your Ubuntu instance locally, your internet router may need to be configured to allow and forward incoming traffic on port 30303 to your server.

sudo ufw allow 30303

Allow Lodestar Ports

Allows P2P connections with Lodestar peers for actions on the beacon node (Port 9000)

NOTE: If you are hosting your Ubuntu instance locally, your internet router may need to be configured to allow and forward incoming traffic on port 9000 to your server.

sudo ufw allow 9000

Allow HTTP connections to Prometheus metrics (Port 3000)

sudo ufw allow 3000

Deny any internal IP addresses (As Required)

If you are running Lodestar within a cloud computing environment, you may want to consult with your cloud provider and ensure certain internal IPs are restricted from communication to minimize the risk of you being flagged as an attack/spam/DDOS server.

You can use UFW to block those IPs and ports using commands found in this article about how to block an IP address with UFW.

Enable the Firewall

Enable the firewall and verify the rules have been correctly configured

sudo ufw enable
sudo ufw status numbered

Check the screenshot below for reference.

Configure Timekeeping on the Server

Ubuntu has time synchronization built in and activated by default using systemd’s timesyncd service. Verify it’s running correctly.

timedatectl

The NTP service should be active. If not then run:

sudo timedatectl set-ntp on

Check the screenshot below for reference: You should only be using a single timekeeping service. If you were using NTPD from a previous installation you can check if it exists and remove it using the following commands.

ntpq -p
sudo apt-get remove ntp