Security recommendations for running a node in OKP4

Published in

Cumulo.pro

3 min readDec 30, 2022

This article aims to learn how to run an OKP4 validator node in a basic security environment.

These tools are applicable to the Linux system, and its Ubuntu Server distribution.

· Create a non-root user with sudo privileges
· Update the list of packages in repositories
· Changing the default listening port of the SSH service
· Activate the Firewall of the server
· Activate the Ubuntu UFW Firewall
· Install fail2ban

Create a non-root user with sudo privileges

Log in to your server using a non-root account to avoid accidentally deleting files or making other errors that could compromise the system.

To do this, log in to SSH via root and perform the following steps:

For this example we will use a new user called druid.

sudo useradd -m -s /bin/bash druid

Assign a password to your new user.

sudo passwd druid

Add the user druid to the sudo group.

sudo usermod -aG sudo druid

Update the list of packages in repositories

The repositories are the list of programs contained in Linux. It is VERY IMPORTANT to keep the system updated with the latest security patches to avoid malicious attacks. This way you will have a safe and reliable place to download software from. To update the repository list use the following commands.

To update the software repository lists.

sudo apt update

To download any available packages.

sudo apt-get upgrade

Changing the default listening port of the SSH service

The SSH client is a service that allows you to remotely control your server and access other computers, transmitting data over an encrypted channel. The default port used by SSH is port 22 and is frequently breached by denial of service attacks. To avoid this, you will need to change this port.

First we need to change to root to have the necessary privileges.

sudo –i

Change the 22 to the port of your choice (in our case 4915), deleting the comment character #.

Port 4915

Use the ESC key, then the following command to exit.

:wq!

DONE!

Then restore the SSH service.

/etc/init.d/ssh restart

Activate the Firewall of the server

It is advisable to activate the Firewall of the server, you have the service in the control panel of the contracted service.

VERY IMPORTANT: you must take into account that if you do not open in the firewall the same port that you have configured for PUTTY (in our example 4915) you will not be able to access your remote server through this application.

Firewall configuration in the case of OKP4 node (SSH port: 49155, node port: 26657).

Activate the Ubuntu UFW Firewall

UFW is one of the most popular Linux Firewalls. To install and configure it follow the steps below:

Install UFW Firewall

sudo apt install ufw

Check the status of the Firewall.

sudo ufw status

Enables SSH service.

sudo ufw allow "OpenSSH"

Enable the ports we need.

sudo ufw allow 26657

Lists the applications allowed by the Firewall.

sudo ufw app list

Check that OpenSSH is displayed.

Activate the Firewall.

sudo ufw enable

Result after activation of the Firewall.

Install fail2ban

Fail2ban is an SSH access intrusion prevention application. It works by blocking unknown IP addresses that try to enter the system without authorisation. It is recommended to use this program to protect against denial of service attacks and server hacking.

sudo apt install fail2ban

Start the service.

sudo systemctl start fail2ban

Enables the service.

sudo systemctl enable fail2ban

Restore the service.

sudo systemctl restart fail2ban

See fail2ban logs.

sudo less /var/log/fail2ban.log

Follow OKP4 in Twitter , LinkedIn o Discord