How to configure your server for a secure Waves node

It’s really easy to install and run a Waves fullnode:

Your node is now part of the Waves decentralized network and is ready to process a few different kind of transactions, receive leased Waves and eventually mine a block that gets you a reward.

If your server is not secured against external threats then your funds are at risk! In the following article I’ll show you how to have a basic but effective configuration to prevent most common attack vectors being targeted.

Contents:

  • Create a user
  • Create private and public keys and configure SSH
  • Configure firewall
  • Keep your server updated

Intro

You have a Ubuntu 16.04 VPS with IP address and root password. 
You are going to install the Waves node and sync the blockchain but before you do that you should secure your server first!

We start with a creation of a new user in order to later disable the too-powerful root account, then we create SSH keys to access the server, we disable password logins and setup a firewall to keep open only the ports we really need.

Open a terminal and access into your server with SSH using root account, assuming 100.20.30.40 is the IP of your VPS:

ssh root@100.20.30.40

Create a user

Logged in as root you can create a new user, let’s call it fullnode:

adduser fullnode

Now type two times a new password for the user, make it complex and hard to guess. When asked about Full name, phone etc just type Enter, you don’t need to fill all the fields.

You need to add the user to the sudo group:

usermod -aG sudo fullnode

The new user is now a privileged user. You can now end the session as root:

exit

and login as fullnode user using the password you typed creating it:

ssh fullnode@100.20.30.40

Create private and public keys and configure SSH

A password protected login is not really safe and most probably the root password has been sent in clear text via email. An attacker that gets into your email account can own your node too, if doesn’t get into your email can still brute force the login on your server trying any combination of password.

That’s why we will create SSH keys for a less weak login method and associate it to the new user, disable password logins and disable root account.

You create SSH keys (a private and a public one) on your computer and then upload the public key on the VPS.

Open a terminal on your computer and move into the SSH folder (it’s the same for Linux and MacOs):

cd .ssh

Create the keys with the command:

ssh-keygen -t rsa -b 4096

You will get an output similar to this:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/myuser/.ssh/id_rsa):

Name your keys fullnode, do not choose the default name. Choose a long and complex passphrase and type it two times. Now your keys are ready to be used and you can copy the public one on the VPS into the authorized_keys file, use this one-liner command to do it:

cat fullnode.pub | ssh fullnode@100.20.30.40 “mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys”

We can now configure SSH on the server to start using the keys as login method. Login one last time with the password:

ssh fullnode@100.20.30.40

and edit the SSH config file:

sudo nano /etc/ssh/sshd_config

Remove the comment (the # character) from the following lines:

AuthorizedKeysFile %h/.ssh/authorized_keys

and change yes to no on the line:

PasswordAuthentication no

Additionally we can change the default SSH port to prevent automatic port scans and malicious automated bots. Change the number 22 in the line Port to a number preferably less than 1024:

Port 1020

Remember to allow the custom SSH port on the firewall otherwise you will be locked out of your server!

Save (CTRL+O and Enter) and close the file (CTRL+X). Restart the SSH service and exit the session.

sudo service ssh restart
exit

We can now test if login using SSH works fine and if positive we can disable root login. From now on you will use this command to login into your server.

If you are on Linux:

ssh -i /home/myuser/.ssh/fullnode -p 1020 fullnode@100.20.30.40

If you are on MacOs change the path to:

ssh -i /Users/myuser/.ssh/fullnode -p 1020 fullnode@100.20.30.40

Enter the passphrase and you should log in, once logged we can disable root login and root account. Let’s edit again SSH config file:

sudo nano /etc/ssh/sshd_config

and change to no the following lines:

PermitRootLogin no
X11Forwarding no

Save and close the file, restart SSH service:

sudo service ssh restart

You can no longer login as root. 
To disable root account on the server type the command:

sudo passwd -dl root

Configure firewall

Last step is to install a firewall and keep open only the ports that the Waves full node needs to be operative. Let’s install UFW, a front-end for iptables:

sudo apt-get update
sudo apt-get install ufw

The full node needs open 3ports, the custom SSH port for our login, the 6868 for P2P and the http (80) port for system updates. We instruct the firewall with this two commands:

sudo ufw allow 1020
sudo ufw allow 6868
sudo ufw allow http

To enable the firewall use:

sudo ufw enable

That’s what you need to setup the firewall.

There’s one more package to install to protect SSH and HTTP ports from excessive number of requests such as brute force attacks. Install fail2ban with:

sudo apt-get install fail2ban

We need to edit the fail2ban config file since we changed the default SSH port. Open the file:

sudo nano /etc/fail2ban/jail.local

and edit the lines relative to SSH:

port = ssh

to your custom SSH port, in our example to 1020:

port = 1020

Save and close the file, don’t forget to restart fail2ban:

sudo service fail2ban restart

Keep your server updated

A server with up to date software is more resistant against known bugs and common hacking techniques. You can manually update your server with:

sudo apt-get update
sudo apt-get upgrade

It’s better to handle security updated automatically and the package unattended-upgrades does that for you. Install it with:

sudo apt-get install unattended-upgrades

and configure it with the command:

sudo dpkg-reconfigure unattended-upgrades

Select Yes and Ok on the next two questions to finish configuration.

Conclusion

A server connected to the Internet might get targeted by hackers, bots and automated scripts as soon as is available online, with this tutorial you can effectively reduce the risk of passwords brute force and attacks to open ports.

You need to keep your password and passphrase secret and never share online your SSH private key. Use a set of SSH keys only for one node and create a new set with a different passphrase for every new node.

WDTMC Node

Was the tutorial useful for you?
If you want to donate or lease Waves to my node use the address:

3P8bVfmENR7bPhqbPCzjyzrGodrTMNfqVZX

or use the wdtmc alias.