Securely install multiple Helium masternodes on the same VPS

11 min readOct 26, 2018

Quick and Secure VPS Setup at Vultr

by AKcryptoGUY

Introduction

I was asked to put together a quick masternode setup guide that would be easy for non-techies to work with, so that’s what I will do in this guide. The following steps will show you how to use Nodemaster’s automated VPS installation script to install multiple masternodes on the same VPS hosted by Vultr. The steps will probably work with other VPS providers that give you an IPv6 address, but be sure to pick a reputable company because you don’t want your masternodes to go offline often because of unreliable servers.

Before You Begin

Create an account at Vultr if you don’t already have one and deposit enough money to cover your first month of hosting. Use my referral link to build some good karma. https://www.vultr.com/?ref=7568060
Acquire 1000 Helium for each masternode you want to start. (Two masternodes, for example, will require 2000 Helium, plus a negligible amount for transaction fees)

Instructions

Once you have completed all of the steps listed in the “Before You Begin” section, you are ready to deploy your VPS and start your masternodes.

Prepare your local wallet

Download and run Helium-QT on your local computer. This will be your cold wallet where you keep your Helium safe. It will control your masternodes stored on the VPS. The VPS doesn’t store any of your Helium.

2. Prepare your masternode.conf file

In Helium Core, open Tools & select “Open Masternode Configuration file” → this will open the file in your system’s default text editor
Open Tools & select “Debug console”
Obtain a masternode account address for each masternode you will create (You can call them whatever you like)

getaccountaddress SampleMNgetaccountaddress MetallicaMN

Copy and paste the addresses into the masternode.conf file after the alias name(s) you chose so you have a commented line (or lines) like this:

# SampleMN address Se7SeudtYgNo8uYhPWspyXhtXoDcwDqBk3
# MetallicaMN address SkMW2ostqy5GJKNhiSL7uKjqQM138as2qD

NOTE: The addresses are not a piece of the masternode control line but I recommend you keep them here so you’ll always know what the masternode addresses are
Next, create a new line for each masternode, beginning with the alias for the masternode, then add a placeholder for the IP address which you won’t have until later
Generate a masternode private key for each masternode you will run by running this command as many times as needed

masternode genkey

Copy and paste the masternode private keys into the masternode.conf file after each masternode alias and its IP address placeholder
Save the masternode.conf file
Your masternode.conf file should look something like this (please note that the data for each masternode is contained in one single line and not 2 or 3 different lines. It may look like different lines because of the length of the data which spills over onto additional lines):

# Masternode config file
# Format: alias IP:port masternodeprivkey collateral_output_txid collateral_output_index# SampleMN address Se7SeudtYgNo8uYhPWspyXhtXoDcwDqBk3
SampleMN [IP_ADDRESS]:9009 7REGAsnDYNSwDdHXwx7igqLnFAxPCaBFsKbCmEdR4HC8SNRJh3d # MetallicaMN address SkMW2ostqy5GJKNhiSL7uKjqQM138as2qD
MetallicaMN [IP_ADDRESS]:9009 7RUrKUXQJuGS5WLNzR7v9KLn6oS5MFNBGen1wZzBsCvoZfSe7iu

Send exactly 1000 HLM to each of your masternode account addresses
Keep the masternode.con file open and do not exit Helium-QT

Secure your Vultr account

Create an account at Vultr and deposit funds to run it for awhile
Log into your dashboard at https://my.vultr.com/
Enable 2 Factor authentication to secure your Vultr login
Download Putty, Puttygen, and save to your local Windows computer (https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)
Generate a new 4096 bit public SSH key with PuttyGen and add it to Vultr

Paste the SSH public key into the box in “Add SSH Key” on Vultr and give it a name

Save the private key on your local Windows computer in a safe place. Then close Puttygen.

Add a Startup Script

On the “Startup scripts” tab, create a new Boot Script and paste the following code into it; modify as needed

#!/bin/sh# install packages that I frequently use
sudo apt-get install ufw ntp -y
sudo apt-get install htop nethogs wondershaper fail2ban -y# create a non-root user named "nodeuser" for login
sudo useradd nodeuser
sudo mkdir /home/nodeuser
sudo mkdir /home/nodeuser/.ssh
sudo chmod 700 /home/nodeuser/.ssh# copy root SSH key to new non-root user
sudo cp /root/.ssh/authorized_keys /home/nodeuser/.ssh# fix permissions on RSA key
sudo chmod 400 /home/nodeuser/.ssh/authorized_keys
sudo chown nodeuser:nodeuser /home/nodeuser -R

Create and secure your masternode VPS

Deploy a new server (the $10/mo plan should support up to 10 masternodes until the network has grown quite a bit)
Choose a location, select Ubuntu 16.04 x64, enable IPv6 under “Additional features”, and enable your startup script and SSH keys when you are creating the new VPS. Then choose “Deploy now” and wait for it to finish
Use Putty to connect to the VPS using your IP address, custom SSH port, and the Private Key you saved earlier and login as root

Update the server

apt-get update && apt-get upgrade -y

Prepare Non-root User for remote access

While the system is updating, open another Putty instance, and test to see if you can log into your VPS using the non-root user “nodeuser” that was created by your install script
Use the same IP address and Private Key as you did for root
If it is successful, switch back to the terminal logged in as root
When updates have finished, set a sudo password for your non-root user

passwd nodeuser

Enter a password to use when you run sudo commands
Add your non-root user to sudo group

visudo

Comment out all existing users and group lines and then add:

root    ALL=(ALL) ALL
nodeuser  ALL=(ALL) ALL

Adjust timeout for “sudo” password prompts (for convenience, not for security)

Secure SSH on the VPS by editing the configuration file

sudo nano /etc/ssh/sshd_config

Enter a custom SSH port (44112, for example, or a random port number between 1024 and 65535 that doesn’t conflict with another service)
Disable root login by changing line to “PermitRootLogin no”
Uncomment line to read “PasswordAuthentication no”
Save file
Restart SSH

sudo systemctl restart sshd

Open Putty and update connection settings with RSA private key and new custom SSH port, then save and reconnect by logging in as non-root user
If your non-root user prompt is just $ instead of nodeuser@hostname:~$ then you need to enter the command “bash” in order to return to the normal bash prompt

Configure the firewall

sudo ufw default allow outgoingsudo ufw default deny incomingsudo ufw allow 44112  (use the custom SSH port you selected)sudo ufw enable

Secure shared memory

sudo nano /etc/fstab

Add the following line at the end of the file

tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

Prevent IP spoofing

sudo nano /etc/host.conf

Change the last 2 lines in the file to look like this:

order bind,hostsnospoof on

Harden your networking layer

sudo nano /etc/sysctl.conf

Add the following lines to the file:

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0 
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0 
net.ipv6.conf.default.accept_redirects = 0# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1

Enable DDoS protection

sudo nano /etc/ufw/before.rules

Add the following lines after *filter line

:ufw-http - [0:0]
:ufw-http-logdrop - [0:0]

Add the following lines to the end of the file, before the word COMMIT

### Start HTTP #### Enter rule
-A ufw-before-input -p tcp --dport 80 -j ufw-http
-A ufw-before-input -p tcp --dport 443 -j ufw-http# Limit connections per Class C
-A ufw-http -p tcp --syn -m connlimit --connlimit-above 50 --connlimit-mask 24 -j ufw-http-logdrop# Limit connections per IP
-A ufw-http -m state --state NEW -m recent --name conn_per_ip --set
-A ufw-http -m state --state NEW -m recent --name conn_per_ip --update --seconds 10 --hitcount 20 -j ufw-http-logdrop# Limit packets per IP
-A ufw-http -m recent --name pack_per_ip --set
-A ufw-http -m recent --name pack_per_ip --update --seconds 1 --hitcount 20 -j ufw-http-logdrop# Finally accept
-A ufw-http -j ACCEPT# Log
-A ufw-http-logdrop -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW HTTP DROP] "
-A ufw-http-logdrop -j DROP### End HTTP #### Prevent ping flood
-A INPUT -p icmp -m limit --limit 6/s --limit-burst 1 -j ACCEPT
-A INPUT -p icmp -j DROP

Enable automatic security updates

sudo nano /etc/apt/apt.conf.d/10periodic

Modify the file until it look like this:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

Edit another config file:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Modify the file so it looks like the one below. Only enable security updates:

Unattended-Upgrade::Allowed-Origins {
        "Ubuntu lucid-security";
//      "Ubuntu lucid-updates";
};

Your VPS is now a lot more secure than it is with the default settings.

Reboot the server before continuing with masternode setup

sudo shutdown -r now

Install your masternodes

Log back into VPS as non-root user in Putty
Download and install Teela’s Nodemaster VPS script onto the VPS (use the “key” flag and insert your masternode private keys and the script will configure the masternodes automatically)

sudo git clone https://github.com/heliumchain/vps.git && cd vpssudo ./install.sh -p helium -c 2 --key FIRSTPRIVATEKEY --key2 SECONDPRIVATEKEY --startnodes

The script will then compile the Helium wallet and install 2 masternodes. Be patient, it will take 20 to 30 minutes to install and when you’re finished, it will activate your masternode daemons and begin syncing the blockchain.

Complete your masternode.conf file

While the wallet is compiling, switch back to the Helium wallet and open Debug console to obtain your masternode outputs and transaction IDs.

masternode outputs

You should see something like this:

Copy the txhash and outputidx for each transaction and insert them into your masternode.conf file after each of the masternode private keys.

After the script has completed, you need to open the helium.conf file on the VPS to obtain your IP addresses for use in the masternode.conf file on the local wallet.

sudo nano /etc/masternodes/helium_n1.conf

Locate the IP address and type that into the notepad file of masternode.conf on your local wallet in the place where we saved the IP_address placeholder earlier. Enter the IP addresses for all masternodes you will be starting at this time. In IPv6, the IP addresses for all your masternodes will be the same except for the last number which will increment for each additional node (::1, ::2, ::3, etc). When you’ve entered all the IP addresses, save the file. It should look like this when you are finished.

# SampleMN address Se7SeudtYgNo8uYhPWspyXhtXoDcwDqBk3
SampleMN [2001:19f0:ac01:1842:6688::1]:9009 7R6VzdKeA4dK13tK3LpuCiYiMse4V12Ebfknpo1HKLNSiCaj1u9 7efb179e2faf8dd5eb244cd31b3e39a87735d6026ccc0ef8844957a6aa6b8843 0# MetallicaMN address SkMW2ostqy5GJKNhiSL7uKjqQM138as2qD
MetallicaMN [2001:19f0:ac01:1842:6688::2]:9009 7QX7mibpRf4Sr429CGDgY9z35LGuccfm7KNXcgUnz1dZjRse2Px 95398f942987787c234cb879c16ba0d24101eda31dfee412fb8749df75bed4a5 0

Start your masternodes

Exit and restart the Helium wallet
Click on the masternodes tab and see your masternodes in the list
Check in the VPS to see if your blockchain is fully synchronized (do this for each masternode changing the number after helium_n as needed)

sudo /usr/local/bin/helium-cli -conf=/etc/masternodes/helium_n1.conf getinfo

When the block number in your VPS masternode is the same as the block number in your local wallet, the chain is synced and you may start your masternodes.

Select the masternode you want to start and click “Start alias” or if you have no other active or enabled masternodes, Click “Start all” to start them all. *DO NOT CLICK “Start all” if you already have running masternodes or it will reset the waiting period and you will be very frustrated with yourself.

Switching back to the VPS, run the command to check the status of your masternodes. If you see “masternode enabled” then everything is working properly.

sudo /usr/local/bin/helium-cli -conf=/etc/masternodes/helium_n1.conf masternode status

If the output looks like this, then your masternode is running and now you just need to wait patiently until the rewards start rolling in. You may close your local Helium wallet and only need to open it when you want to check on your masternodes or to stake your rewards.

Pro Tip: You can monitor your masternodes at https://heliumstats.online/mynodes. If you find the service valuable, please tip him so he can keep the service running!

Tips and Troubleshooting

If you receive an error “could not parse” your masternode.conf file and the wallet will not start, it is probably because you put the information for each masternode on 2 or 3 different lines instead of on one long line. Also, parse errors will occur on Mac OS if you have an empty line in it. No spacing on Mac OS, sorry.
If you have a problem when starting or enabling the firewall, check that you don’t have any blank spaces or lines before the COMMIT line at the end of your /etc/ufw/before.rules
Monitor the status of your masternodes and track vital statistics online at http://heliumstats.online
Do not start your masternodes using the “Start All” button unless you do not have any other running masternodes and this is your first time starting them

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Watch this video on YouTube: https://youtu.be/mj1FyN6Wauk

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Stay in Touch with us:

Twitter → https://twitter.com/AKcryptoGUY

Medium → https://medium.com/@AKcryptoGUY

Facebook → https://www.facebook.com/AKcryptoGUY

Instagram → https://www.instagram.com/akcryptoguy

YouTube → https://www.youtube.com/channel/UCIFu9OZWOtfxokGdFY6aTog

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Links