Last Updated: January 17, 2022
Table of Contents
This is Part 2 of a step-by-step guide to setup the ChainSafe Lodestar consensus client on the Ethereum Beacon Chain.
This guide is separated into a series of parts, grouped by related steps to setup a full Lodestar consensus beacon node and validator client from start to finish. The topics are separated as follows:
This section of the guide will help you setup and secure your local Ubuntu staking computer.
Using a SSH client, connect to your Ubuntu server through Port 22 (default). If you are logged in as root
then create a user-level account with admin privileges instead, since logging in as the root user is risky.
NOTE: If you are not logged in as root then skip Create New User and go to the next step: Update the Server.
Create a new user. Replace <yourusername>
with a username of your choice. You will asked to create a strong password and provide some other optional information.
Grant admin rights to the new user by adding it to the sudo
group. This will allow the user to perform actions with superuser privileges by typing sudo
before commands.
Optional: If you used SSH keys to connect to your Ubuntu instance via the root
user you will need to associate the new user with the root user’s SSH key data.
Finally, log out of root
and log in as <yourusername>
.
Make sure the system is up to date with the latest software and security updates.
Security is important. This is not a comprehensive security guide, just some basic settings and options depending on your level of security tolerance and technical competencies.
OPTIONAL: This section is recommended for advanced users who know how to utilize RSA keypairs to securely log in to remote servers. Otherwise, skip this section and continue to the section: Modify the Default SSH Port.
Create a new SSH key pair on your local machine. Run this on your local machine. You will be asked to type a file name in which to save the key. This will be your keyname.
Generate your RSA keypair on your server.
Press Enter
to save the key as id_rsa.pub
.
Enter a passphrase if you wish.
Transfer the keys to your remote server at $HOME/.ssh
if you generated the key from another device.
NOTE: For the command below, replace <User>
with your login username. Replace <serverIP>
with your server's IP address.
Continue connecting if the ECDSA authenticity of the host cannot be established by using yes
. Then type in your login password.
Login with your SSH key.
Once confirmed that it works, you can logout. Ensure you copy the necessary private key (id_rsa) to other devices you wish to login from.
Disable root login and password based login. Edit the /etc/ssh/sshd_config
file.
Locate ChallengeResponseAuthentication and update to no.
Locate PasswordAuthentication update to no.
Locate PermitRootLogin and update to prohibit-password.
Locate PermitEmptyPasswords and update to no.
Validate the syntax of your new SSH configuration.
If no errors with the syntax validation, restart the SSH process.
Verify the login still works.
Optional: To simplify the ssh command needed to log in to your server, consider updating your local
$HOME/.ssh/config
file:
This will allow you to log in with ssh lodestar-server
rather than needing to pass through all ssh parameters explicitly.
Proceed to Modify the Default SSH Port.
Port 22 is the default SSH port and a common attack vector. Change the SSH port to avoid this.
Choose a port number between 1024–49151 and run the following command and replace <YourSSHPortNumber>
with the selected port number to check that it is not already in use:
A blank response indicates not in use, a red text response indicates it is in use: try a different port. E.g. sudo ss -tulpn | grep ':6673'
If confirmed available, modify the default port by updating SSH config.
Find or add (if not present) the line Port 22
in the file. Remove the # (if present) and change the value as below.
Check the screen shot below for reference of Port 123
as an example. Press CTRL
+x
then y
then Enter
to save and exit.
Restart the SSH service to reflect the above changes.
Log out and log back in via SSH using <YourSSHPortNumber>
for the port.
NOTE: If you plan to use a password login for your server it is recommended that you also setup 2-Factor Authentication or skip to the section: Disable SSH password Authentication and Use SSH keys only.
OPTIONAL: If you would like added security on top of your password, you can setup Google Authenticator to further protect your server from unauthorized access. Otherwise, skip this section and continue to Install Fail2ban.
Install the package required for Google Authenticator.
To make SSH use the Google Authenticator PAM module, you will need to edit the file located in /etc/pam.d/sshd
:
In the configuration file, add the following line at the bottom of the file:
Check the screen shot below for reference. Press CTRL
+ x
then y
then Enter
to save and exit.
Now we will restart the sshd
daemon with the following command:
We must now modify the sshd
configuration file located at /etc/ssh/sshd_config
:
We will locate the following parameters and update it to yes
. Check the screen shot below for reference.
Press CTRL
+ x
then y
then Enter
to save and exit.
We will now setup Google Authenticator with the following command:
You will be asked a series of questions and the recommendated settings are:
Use the screenshots below as an example reference:
WARNING: The giant QR code that appeared is a representation of your secret key used for your Google Authenticator application. This key is required to generate the proper 6 digit codes you use to verify your 2FA and log into your server. It is VERY IMPORTANT to write down your emergency scratch codes and KEEP THEM SAFE incase you lose access to your phone.
Now open Google Authenticator on your phone and add your secret key to make sure you have access to your server after inputting your password.
Proceed to Install Fail2ban.
Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.
Edit the config file that monitors SSH logins:
Whitelisting IP address tip: The ignoreip parameter accepts IP addresses, IP ranges or DNS hosts that you can specify to be allowed to connect. This is where you want to specify your local machine, local IP range or local domain, separated by spaces.
Press CTRL
+ x
then y
then Enter
to save and exit.
Restart fail2ban for settings to take effect.
Ubuntu 20.04 servers can use the default UFW firewall to restrict inbound traffic to the server. Before you enable it allow inbound traffic for SSH, Go Ethereum, and Lodestar.
UFW should be installed by default. The following command will ensure it is.
Explicitly apply the defaults. Inbound traffic denied, outbound traffic allowed.
Allow inbound traffic on <YourSSHPortNumber>
as set above. SSH requires the TCP protocol. E.g. sudo ufw allow 123/tcp
Deny inbound traffic on Port 22/TCP.
NOTE: Only do this after you SSH in using <YourSSHPortNumber>
.
Allow P2P connections with Go Ethereum peers on Port 30303.
OPTIONAL If using an Ethereum Execution Node hosted by a 3rd party, skip this step.
NOTE: If you are hosting your Ubuntu instance locally, your internet router may need to be configured to allow and forward incoming traffic on port 30303 to your server.
Allows P2P connections with Lodestar peers for actions on the beacon node (Port 9000)
NOTE: If you are hosting your Ubuntu instance locally, your internet router may need to be configured to allow and forward incoming traffic on port 9000 to your server.
Allow HTTP connections to Prometheus metrics (Port 3000)
If you are running Lodestar within a cloud computing environment, you may want to consult with your cloud provider and ensure certain internal IPs are restricted from communication to minimize the risk of you being flagged as an attack/spam/DDOS server.
You can use UFW to block those IPs and ports using commands found in this article about how to block an IP address with UFW.
Enable the firewall and verify the rules have been correctly configured
Check the screenshot below for reference.
Ubuntu has time synchronization built in and activated by default using systemd’s timesyncd service. Verify it’s running correctly.
The NTP service
should be active
. If not then run:
Check the screenshot below for reference:
You should only be using a single timekeeping service. If you were using NTPD from a previous installation you can check if it exists and remove it using the following commands.
You should now have a secured server to work with. You have now completed configuring the Ubuntu server to start working with the software required for Ethereum.
Continue on with the guide to setup Lodestar. You have two options for setting up Lodestar: