Security recommendations for running a node in OKP4
This article aims to learn how to run an OKP4 validator node in a basic security environment.
Create a non-root user with sudo privileges
Log in to your server using a non-root account to avoid accidentally deleting files or making other errors that could compromise the system.
To do this, log in to SSH via root and perform the following steps:
For this example we will use a new user called druid.
sudo useradd -m -s /bin/bash druid
Assign a password to your new user.
sudo passwd druid
Add the user druid to the sudo group.
sudo usermod -aG sudo druid
Update the list of packages in repositories
The repositories are the list of programs contained in Linux. It is VERY IMPORTANT to keep the system updated with the latest security patches to avoid malicious attacks. This way you will have a safe and reliable place to download software from. To update the repository list use the following commands.
To update the software repository lists.
sudo apt update
To download any available packages.
sudo apt-get upgrade
Changing the default listening port of the SSH service
The SSH client is a service that allows you to remotely control your server and access other computers, transmitting data over an encrypted channel. The default port used by SSH is port 22 and is frequently breached by denial of service attacks. To avoid this, you will need to change this port.
First we need to change to root to have the necessary privileges.
sudo –i
Change the 22 to the port of your choice (in our case 4915), deleting the comment character #.
Port 4915
Use the ESC key, then the following command to exit.
:wq!
DONE!
Then restore the SSH service.
/etc/init.d/ssh restart
Activate the Firewall of the server
It is advisable to activate the Firewall of the server, you have the service in the control panel of the contracted service.
VERY IMPORTANT: you must take into account that if you do not open in the firewall the same port that you have configured for PUTTY (in our example 4915) you will not be able to access your remote server through this application.
Activate the Ubuntu UFW Firewall
UFW is one of the most popular Linux Firewalls. To install and configure it follow the steps below:
Install UFW Firewall
sudo apt install ufw
Check the status of the Firewall.
sudo ufw status
Enables SSH service.
sudo ufw allow "OpenSSH"
Enable the ports we need.
sudo ufw allow 26657
Lists the applications allowed by the Firewall.
sudo ufw app list
Check that OpenSSH is displayed.
Activate the Firewall.
sudo ufw enable
Result after activation of the Firewall.
Install fail2ban
Fail2ban is an SSH access intrusion prevention application. It works by blocking unknown IP addresses that try to enter the system without authorisation. It is recommended to use this program to protect against denial of service attacks and server hacking.
sudo apt install fail2ban
Start the service.
sudo systemctl start fail2ban
Enables the service.
sudo systemctl enable fail2ban
Restore the service.
sudo systemctl restart fail2ban
See fail2ban logs.
sudo less /var/log/fail2ban.log