How To Secure Your ARK Node
Now that we have our ARK node setup and running, it is time to put some basic security measurements on your server. This guide will address the most basic security measures. Each command will be in a new line in bold font, and if not otherwise stated, means you initiate it by pressing [enter] key.
1) Preventing ‘Root’ Login and Changing SSH Port
Note that for this, you need to have the user that we made in How to setup an ARK node guide already setup, or else you can be locked out from your server. We will be disabling root login, and the only way to login will be with your new user name and password. So, first, connect to your server via Putty / terminal with the user you created for your ARK node, and then open the sshd config file with the command. You will be asked for your user password since we are running it as sudo:
sudo nano /etc/ssh/sshd_config
You can move around the file with the arrow keys - up , down, left and right. You can delete characters in the file with the backspace or delete keys.
Be careful to not press any extra keys and follow this guide precisely, or else you can break the proper functioning of the SSH server and lock yourself out, which would require starting all over again with a fresh server!
a) Changing the SSH port*
The default SSH port is set at 22, so we will be changing the port to a number between 49152 and 65535. You can choose anything in this range. For the purpose of this guide, we will use port 55555.
*Remember/save this port number somewhere as in case you forget it or erase it you won’t be able to connect to your server via newly set SSH port anymore.
As we said, we will change to port 55555 - move down with arrow keys to 22 and erase 22 with backspace or delete, then type in your preferred port.
b) Disable root logins and change login grace time
Next, we will disable root login to your server, along with the LoginGraceTime constant. When you connect to a server, you have 120 seconds to login. If you don’t successfully login within 120 seconds, SSH will disconnect.
120 seconds to login successfully is too long, so we will be changing this to 60 seconds (you can even change it to 30 seconds).
Now that we have the port changed, move the cursor with with down arrow key to where it says :
LoginGraceTime 120
PermitRootLogin yes
We will be changing both of these values to:
LoginGraceTime 60
PermitRootLogin no
After you are done, it should be like this:
c) Disabling X11forwarding and limiting concurrent connections to your SSH
Now that we have that done, since we don’t need X11 graphics forwarding, we will disable it. Move down further with the arrow keys to where it says X11Forwarding, which we will be changing as follows:
Change :
X11Forwarding yes
To:
X11Forwarding no
The next step is to limit concurrent SSH connections.
Change:
#MaxStartups 10:30:60
To:
MaxStartups 2
Note that you need to un-comment this line to make it active, so you must delete the # at the start!
After you are done, this section should be like this:
These are all of the changes we have to make in this file. Now we just need to save and close it. Press:
CTRL + X
You will be asked to either save or not save changes. By pressing ‘Y’ key you accept the changes, and then press [enter] to overwrite the current file.
Press ‘Y’ to modify file. After that you will be asked to replace the file - press [enter]:
Now that we are back in command line, we need to restart the SSH service with the following command (If prompted for sudo password, provide it):
sudo service ssh restart
Now its time to test this out and reconnect. Open another instance of Putty (in our case) or terminal* software and we will need to change the port of SSH from 22 to the one you set in the sshd_config file (in our case 55555) :
*if you are connecting via terminal simply swap the port number with your desired one:
ssh -p new_ssh_port yourusername@serverIP
for our example: ssh -p 55555 ark@162.243.232.177
For Putty:
In the Host Name field, enter your IP in the right box. In Port field, enter your newly chosen SSH port (in our case 55555), and click on Open to establish a connection.
Putty will ask you for the host key, click `Yes`to open the session.
Login as your user (in our case ark) and password. Note that if you try to login with the username root it will not allow it anymore since we disabled root logins in previous step.
Now we are connected via the newly set SSH port.
2) Configuring Firewall*
*(it should be part of Ubuntu by default, but if you get a message when you run ‘sudo ufw status’ that it is not installed, you can install it with):
sudo apt-get install ufw
First step is to configure the firewall and allow only the ports that we need to be open. For that we will first run the command to check if the firewall is running:
sudo ufw status
it should return status: inactive, and if not, then we first need to disable it by this command:
sudo ufw disable
Now we must deny all incoming traffic with:
sudo ufw default deny incoming
After that we must enable the ports that we need open, and one of them is, of course, our newly set SSH port, in our case port 55555. Since we are running devnet on port 4002, that one must be open and if you are running delegate for main net we need to open port 4001. As we don’t need UDP, we will only enable TCP by adding a simple /tcp flag at the end of each ufw allow command. If you are going to be running the node through an SSL connection you will also need to enable that port (the default config doesn’t need it enabled). Now you need to run the following commands:
sudo ufw allow (your new ssh port number)/tcp
our example: sudo ufw allow 55555/tcp
Next is to enable our main net port, which is by default set at 4001
sudo ufw allow 4001/tcp
Next is to enable our devnet port, which is by default set at 4002
sudo ufw allow 4002/tcp
After that we need to enable the firewall with the command:
sudo ufw enable
You will be prompted to proceed — type the letter ‘y’ and press [enter].
You can check the firewall status with the command:
sudo ufw status
It should now say Status: active and list all of the ports we set up.
3) Installing and Configuring Fail2Ban
Fail2Ban is software to mitigate bruteforce attacks. First we need to install it with the command:
sudo apt-get install fail2ban
Now in order to make modifications to fail2ban configuration file, we need to copy file /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local. This will prevent our modifications from being overwritten if a package update provides a new default file. So we do it with this command
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now lets open that configuration file with editor:
sudo nano /etc/fail2ban/jail.local
Now that we have the jail.local file opened it is time to change EVERY reference where it says port = ssh to the new ssh port that you chose in Part 1 of this guide. In our example, every new port = ssh will say port = 55555
It should look like this after you are done ( go through the whole file ) :
After you are done, we need to close and save. Press CTRL+X , followed by pressing ‘Y’ and overwriting the file with [enter]. Remember to only change references where is says port = ssh to port = (your new ssh port) !
Now, the last part is to restart fail2ban to accept the new changes with this command:
sudo service fail2ban restart
You can check the status of fail2ban with this:
sudo service fail2ban status
That is it! Your server is now a little bit more secure.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
If you have any additional questions or problems don’t hesitate to join our Slack and one of the crew members or community members will gladly help you out!
