Extensive guide to a secure LTO.network public node setup

Introduction to setting up a secure Ubuntu server for the first time

This tutorial is meant for beginners who want to set up an Ubuntu server for the first time. It contains the very basic steps of installing Ubuntu on a new server, enhance security and installing the LTO.network public node. The tutorial is based on Ubuntu 16.04. It is recommended to run nodes on a rented VPS. I’ll include a list of trustworthy and stable VPS providers at the end of the tutorial. Most providers offer a single click to install an OS. Things may differ depending on your provider.

Replace everything between < > with your own values.

To install Ubuntu, use the following tutorial which will guide you through the process. https://tutorials.ubuntu.com/tutorial/tutorial-install-ubuntu-server-1604

Make sure to install OpenSSH in step 10. The other the packages are not needed.

We’re using SSH to connect to our server. For Windows use either PowerShell (run as administrator) or PuTTy.

Mac users can use the built-in terminal (spotlight, command + spacebar: search for terminal)

It is most likely that you’ve created a user with your own username during the installation and you’ll never have to login as ‘root’. If this is the case for you, you can skip to step 3.

By default, the root account password is locked in Ubuntu. This means that you cannot login as root directly or use the su command to become the root user. However, since the root account physically exists it is still possible to run programs with root-level privileges. This is where sudo comes in — it allows authorized users to run certain programs as root without having to know the root password. If you are, for some reason, logging in as root, please first follow step 1 and 2.

1. Basic system setup as root

If you are done with the installation, connect to your server through SSH, using the root account provided by your host.

  • ssh root@<ip-address>
  • example: ssh root@

Change the root password (type it twice):

  • passwd

Exit and login again with your new password:

  • exit
  • ssh @<ip-address>
  • example: ssh root@

2. Adding a new user

Now, we’re going to create a new regular user as it is not recommended to use the ‘root’ account for your node.

  • adduser <new_user>
  • example: adduser john

Enter a new and strong password twice and press enter six times to accept the default values.

Now we’re going to add the new user to the ‘sudo’ group. sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.

  • usermod -a -G sudo <new_user>
  • example: sudo usermod -a -G sudo john

Exit and connect to your server as the new user, not as root. Use the password you’ve set while creating the new user.

  • exit
  • ssh <new_user>@<ip-address>
  • example: ssh john@

2.1 Extra security measure: add SSH key to your user

While it is possible to manage your servers using password-based logins, it is often a better idea to set up and use SSH key pairs. SSH keys are more secure than passwords, and can help you login without having to remember long passwords.

More info and extensive guide: https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-ubuntu-1604

3. Adding our user to the sudo group

If you’ve followed step 1 and 2, you can now skip to step 4. If you are done with the installation, connect to your server through SSH, using the account you have set up during the installation process.

  • ssh john@<ip-address>
  • example: ssh john@

We need to add the user to the ‘sudo’ group. sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.

  • sudo usermod -a -G sudo <user>
  • example: sudo usermod -a -G sudo john

4. Updating and installing packages on your server

The following commands require root privileges. To grant root privileges, simply prepend sudo to all the commands you need to run as root. If you ever get a ‘permission denied’ error, you probably forgot to prepend sudo to the command. Example: ‘sudo apt-get install npm’. Whenever you get the question if you want to continue and additional disk space will be used, just press Y on your keyboard.

It is important to update all the existing packages on the server. Ubuntu will ask you to fill in your password once again since you are now logged in as a ‘regular’ user.

To update the packages, use the following commands as the root user (and repeat those commands at least every week to get the latest security updates):

  • sudo apt-get update
  • sudo apt-get dist-upgrade

Reboot your server (just in case the kernel has been updated) and connect again.

  • reboot
  • ssh <user>@<ip-address>
  • example: ssh john@

It is important to have an accurate time on your system as this sometimes can cause for conflicts. In most cases it’s best to use pool.ntp.org to find an NTP server. The system will try finding the closest available servers for you.

  • sudo apt-get install ntp
  • sudo apt-get install ntpdate
  • sudo service ntp stop
  • sudo ntpdate pool.ntp.org
  • sudo service ntp start

Now, install additional packages which are needed or useful. We install nano text editor to edit the docker-compose file later in this tutorial.

  • sudo apt-get install nano

5. Secure your SSH connection

We’re going to change the standard SSH port to make your server just a bit more secure.

To make it even more secure, you can use the following guide (not recommended): https://www.cyberciti.biz/faq/how-to-disable-ssh-password-login-on-linux/

We’re not recommending this, as you won’t be able to login anymore from any computer or mobile phone on the go.

Continue here:

Open the sshd_config file with nano:

  • sudo nano /etc/ssh/sshd_config

Go to the line with ‘Port 22’ and change it to another port number between 49152 and 65535.

  • example ‘Port 51234’

From now on, we will be referring to this new port as <new_ssh_port>.

Go to line ‘PermitRootLogin yes’ and change it to ‘PermitRootLogin no’.

  • example ‘PermitRootLogin no’

Press control + X, press Y and press enter to save your new configuration.

Restart the SSH service:

  • sudo service ssh restart

Now we’re going to disconnect and reconnect again to test if the new port is working and remember to add your new port as following:

  • exit
  • ssh -p <new_ssh_port> <user>@<ip-address>
  • example: ssh -p 51234 john@

6. Enabling Swap space

It’s not recommended to enable swap with SSD drives as it can cause drive degradation over time.

It is recommended to enable Swap on your server if you don’t have an SSD drive, if not done already.

First check if swap isn’t already enabled:

  • sudo swapon -s
  • free -m

If swap is not enabled, use the following extensive guide to enable it: https://www.digitalocean.com/community/tutorials/how-to-add-swap-space-on-ubuntu-16-04

7. Installing fail2ban

Fail2ban scans log files and bans IPs that show the malicious signs: too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time.

  • sudo apt-get install fail2ban

Now we’re going to edit the fail2ban config to your modified ssh port:

  • sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  • sudo nano /etc/fail2ban/jail.local

Replace every line that looks like this:

  • port = ssh

With your new ssh port:

  • port = <new_ssh_port>

It should look then similar to this:

  • example:
    # SSH servers
  • [sshd]
  • port = 51234
    logpath = %(sshd_log)s

Save and exit with ctrl + X, Y, ENTER.

Now, restart fail2ban:

  • sudo service fail2ban restart

8. Setting up your firewall

Check this tutorial fore more details: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-16-04

First check the status of the firewall:

  • sudo ufw status

Now we’re going to set up the firewall, blocking all the ports but allowing traffic on the ports for your SSH connection and opening the port for synchronization with other nodes in the network.

  • sudo ufw disable
  • sudo ufw default deny incoming
  • sudo ufw default allow outgoing
  • sudo ufw allow 6868
  • sudo ufw allow <sshport>

example: sudo ufw allow 51234

  • sudo ufw logging on
  • sudo ufw enable

Check the status again to see if the rules are updated:

  • sudo ufw status

After a short period of time you can reconnect to your VPS.

9. Installing Docker

We’re finally getting close to installing your LTO.network public node! The node is easily installed through a Docker image, so first we’re going to need to install Docker & Docker Compose on our server. Use the following guides to do so and stop when you’ve ran the test provided in this guide (sudo docker run hello-world):

Docker: https://docs.docker.com/install/linux/docker-ce/ubuntu/

After that, Docker Compose: https://docs.docker.com/compose/install/

Now, give docker the proper privileges:

  • sudo groupadd docker
  • sudo usermod -aG docker $USER

Log out and log back in so that your group membership is re-evaluated.

  • exit
  • ssh -p <new_ssh_port>@<ip-address>
  • example: ssh -p 51234 john@

Verify that you can run docker commands without sudo.

  • docker run hello-world

For more info check: https://docs.docker.com/install/linux/linux-postinstall/#manage-docker-as-a-non-root-user

10. Create a wallet

So before you can start a node, you will need a wallet with tokens. Create a wallet via https://wallet.lto.network.

You will need at least 1000 LTO to be eligible to forge but it’s recommended to have at least 10.000 LTO. For extra security you can create two wallets: one with your token holdings and one for your node. Lease the tokens with wallet 1 (holdings) to wallet 2 (node).

11. Starting your node for the first time

Yay, it’s finally time to start your node! At least you have a more secure server now, and that is super important!

Head over to the LTO.network Github repository:

Look up your IP address by entering the following command in your command line, copy the IP address and save it somewhere, you will need it in the next step.

Now, all you need is the docker-compose.yml file. What works best is copying the content in a new file. So let’s make the new file on your server:

  • sudo touch docker-compose.yml

Open the file with nano:

  • sudo nano docker-compose.yml

Paste the contents from the docker-compose.yml file from the LTO Github repository in a code editor like Visual Studio Code and enter your details. Now copy it and paste the contents in the file in your node with your right mouse click. Example:

version: '3'services:public-node:
- ./data:/lto/data
container_name: public-node
image: legalthings/public-node
- 6869:6869
- 6868:6868
- LTO_WALLET_SEED=<place the fifteen words here>
- LTO_WALLET_PASSWORD=<setapasswordforencryption>
- LTO_DECLARED_ADDRESS=<your_node_ip>:6868

(not mandatory) If you want to approach your node from your localhost with a browser, add the following lines after the last line:

- LTO_API_KEY=<setapasswordforyourapi>

Press ctrl +x and y to close and save the file.

Now it’s really time to start your node! Use the following command to run the Docker container in the background. It will pull the latest image from the LTO node and start running.

  • docker-compose up -d

To see the progress use the following command:

  • docker logs -f public-node

To let the node running in the background either close the terminal or press ctrl +c.

If you get an ‘unsupported version’ error after starting your node, change the version number to ‘2’ in the docker-compose.yml file.

All you have to do now is wait for 1000 blocks to pass before your node becomes active in the mining process.

Yay, you’ve done it! Wasn’t so hard right. If you have any questions, you can ask them on the LTO Telegram channel.

If you have any feedback don’t hesitate to contact me.




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Introduction to Apache Spark

Create Api Documentation with DocFx using Visual Studio and CLI

Airflow Summit Day 2 Takeaways

AWS CDK Microservice

AWS CDK Workflow

On having “dev” match “production”

A real-world example of a Stream Collector

Introduction to Sealed Classes

Into the art of Binary Exploitation 0x000003 [Prominence of Integer-Overflow]

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


More from Medium

How to set up N3XTSPACE Mining cryptocurrency N3S on mobile.

Origins – Part 1

🗞 Weekly report: week 12 of 2022

How To Get 10 BNB with PancakeSwap Full Tutorial