Improving Validator Security and using HSM Module for 2FA
What are HSM modules and why you should use them?
Hardware Security Modules (HSMs) generate, manage and store the secure cryptographic keys that are required for authenticating an user or device in a broader network. Malware attacks and remote extraction of private keys are much more difficult when a HSM module is configured properly.
When you have your private key on your validator that is secured only by a password, an attacker can simply copy your private key and sign malicious transactions or generate double signs which can result for example in stake slashing or other unwanted operations on your node.
By using Two-Factor Authenticator (2FA) and HSM module, you are strengthening the authentication on your Virtual Private Server (VPS). There are many options for 2FA but is recommended that you actually use a HSM module like YubiKey for this.
Even better would be to use certificate in combination with a HSM module in order to authenticate and disable password login.
How can I secure the access to my VPS better?
1. Add Two-Factor Authenticator to your VPS provider if it is allowed
Serious VPS providers allow this already and also using a HSM module like YubiKey.
2. Create a SSH Public-Private Key pair for your VPS and assign the Public Key to the VPS when creating it
On Windows you can use for example PuttyGen to generate your SSH Public-Private Key pair.
To generate the SSH keys on macOS use the Terminal and the command below.
Command: ssh-keygen -t rsa3. Define and use firewall services from the VPS cloud provider you use like Security Groups on AWS
4. Use SSH Private Key and not password to authenticate on your VPS
5. If you received any root password after creating your VPS, change it
Command: passwdMake sure to back-up this password and also be aware where you place this password so that it won’t get stolen.
For holding passwords, keywords, etc. an encrypted hardware device and paper wallets are recommended. It is not recommended to hold passwords or keywords on a hot storage like your personal computer or notebook.
6. Once logged in, update your OS
Command for debian based systems: sudo apt-get update && sudo apt-get upgrade7. Create a separate user than root for your application
It is not recommended to use directly the root user on your VPS.
Command: adduser <your-username>Add the newly created <your-username> user to the sudo group
Command: adduser <your-username> sudoYou can switch to the new user with the following command:
Command: sudo -u <your-username> -i8. Create the necessary setup so that the new created user can login using certificate
Commands:sudo mkdir -p “/home/<your-username>/.ssh”sudo chmod 0700 “/home/<your-username>/.ssh”sudo chown “<your-username>:<your-username>” “/home/<your-username>/.ssh”
Add the public key to your new created user:
Commands:sudo nano “/home/<your-username>/.ssh/authorized_keys”sudo ls “/home/<your-username>/.ssh” -lsudo chown “<your-username>:<your-username>” “/home/<your-username>/.ssh/authorized_keys”sudo chmod 0600 “/home/<your-username>/.ssh/authorized_keys”
9. Setup YubiKey 2FA on Debian based systems like Ubuntu and strengthen the general authentication
First add the Privacy Preserved Authentication (PPA) and install the library:
Commands:sudo add-apt-repository ppa:yubico/stablesudo apt-get updatesudo apt-get install libpam-yubico
Let’s add pam settings for SSH:
Command: sudo nano /etc/pam.d/sshdAdd the following line at the top to enable the module:
Command: auth sufficient pam_yubico.so id=[Your API Client ID] key=[Your API Client Key] authfile=/etc/yubikey_mappingsHow to get API Client ID and API Client Key?
You can use this: https://upgrade.yubico.com/getapikey/
To improve the security you should comment the following line out:
@include common-auth
This way the YubiKey is required to authenticate without a possibility to fall back to providing the password.
Result:
Save the file and exit:
Command: Ctrl+X and then press "y"Next step is to create a mapping file where you define which YubiKey device is assigned to which user of your VPS.
The mapping file contains users and YubiKey identifiers. The YubiKey identifiers are always the first 12 characters of the generated YubiKey token. In order to generate the YubiKey token you just tap your YubiKey. Then you select its first 12 characters. In case you have multiple YubiKeys you can also add multiple.
Format for defining is <user>:<first 12 characters of Yubikey token>
Command: sudo nano /etc/yubikey_mappingsAdd the mappings for each user:
<user1:<first 12 characters of yubikey1>:<first 12 characters of yubikey2>
<user2>:<first 12 characters of yubikey1>
Save and close the file:
Command: Ctrl + X then "y"Next step is to update sshd_config file to authenticate via public key and pam:
Command: sudo nano /etc/ssh/sshd_configFollowing changes need to be made:
- Enable challenge response authentication by changing it to “yes”
ChallengeResponseAuthentication yes
- Add a new line that sets the Authentication Methods to require first the public key to be valid and then the YubiKey token for each user.
AuthenticationMethods publickey,keyboard-interactive:pam
- UsePAM yes
- Disable the password authentication by removing “#” in front of this line:
PasswordAuthentication and set the value from yes to no
- Disable root authentication — if you have created a separate user for your application, deployments, etc. you can also disable the SSH root user access, which will add an extra layer of security to your VPS.
Find the line PermitRootLogin, remove the comment sign “#” from the beginning of it and set the value to no.
- Change your SSH port from 22 to another one, for example 2225.
Don’t use any of the ports in this list: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers, as they are already being in use.
Result sshd_config file :
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.Port 2225
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key# Ciphers and keying
#RekeyLimit default none# Logging
#SyslogFacility AUTH
#LogLevel INFO# Authentication:
AuthenticationMethods publickey,keyboard-interactive:pam
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10#PubkeyAuthentication yes# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2#AuthorizedPrincipalsFile none#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don’t trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don’t read the user’s ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no# Set this to ‘yes’ to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of “PermitRootLogin without-password”.
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to ‘no’.
UsePAM yes#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none# no default banner path
#Banner none# Allow client to pass locale environment variables
AcceptEnv LANG LC_*# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Save and exit:
Command: Ctrl + X then "y"Finally restart the sshd service to update the settings:
Command: service sshd restartTest the configuration
It is recommended to keep the current session active. In case something went wrong, you will still have access to your VPS and be able to make changes.
Create a new ssh connection and check if the SSH login with certificate and YubiKey works. First the certificate will be used and then you will be prompted for YubiKey. Once this is the case just tap your YubiKey to enter your token and login.
Example:
10. Install fail2ban to reduce brute force attacks
Command: sudo apt-get install -y fail2banStart and enable the service:
Command: sudo systemctl start fail2bansudo systemctl enable fail2ban
It is recommended to use a separate jail.local file to actually read your own configuration. For that you first have to copy the basic configuration jail.conf to the local one jail.local. The new file jail.local will override the original settings in jail.conf.
Command: sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localEdit the file jail.local:
Command: sudo nano /etc/fail2ban/jail.confEnter your desired configuration, for example:
[sshd]enabled = trueport = 22filter = sshdlogpath = /var/log/auth.logmaxretry = 5
This configuration will block an IP address that is being used to log into your VPS via SSH, port 22 and fails for 5 times.
Save and close the file:
Command: Ctrl + X then "y"Restart fail2ban to activate the settings:
Command: sudo systemctl restart fail2ban11. Configure system firewall with IPtables
More about it can be found here:
https://www.tecmint.com/linux-iptables-firewall-rules-examples-commands/
12. Monitor and manage your system and process by using htop
Install htop:
Command: sudo apt-get install htopRun htop:
Command: htopSocial handles & Contact
Twitter: https://twitter.com/ChainodeCapital
Telegram: https://t.me/ChainodeCapitalChat
E-mail: chainode.capital@gmail.com
