Lodestar Setup Guide v2 - Part 2: Set up and Secure your Server

# Lodestar Setup Guide v2 - Part 2: Set up and Secure your Server **Last Updated:** January 17, 2022 **Table of Contents** [toc] --- This is Part 2 of a step-by-step guide to setup the ChainSafe Lodestar consensus client on the Ethereum Beacon Chain. This guide is separated into a series of parts, grouped by related steps to setup a full Lodestar consensus beacon node and validator client from start to finish. The topics are separated as follows: - [Lodestar Setup Guide Overview](https://hackmd.io/@philknows/rk5cDvKmK) - [Part 1: Generating Staking Data](https://hackmd.io/@philknows/rkJEvqzNK) - Part 2: Set up and Secure your Server - [Part 3a: Setup Lodestar with Docker Compose](https://hackmd.io/@philknows/HJw1P3FEY) - ~~Part 3b: Setup Lodestar with Systemd and NPM~~ Coming Soon!:tm: - [Part 4: Funding your Validator Keys](https://hackmd.io/@philknows/SkCaCU05F) - [Final Remarks, Next Steps & Appendix](https://hackmd.io/@philknows/rJceRAHvY) --- # Overview This section of the guide will help you setup and secure your local Ubuntu staking computer. Using a SSH client, connect to your Ubuntu server through Port 22 (default). If you are logged in as `root` then create a user-level account with admin privileges instead, since logging in as the root user is *++risky++*. :::info **NOTE:** If you are not logged in as root then skip Create New User and go to the next step: Update the Server. ::: # Create New User Create a new user. Replace `<yourusername>` with a username of your choice. You will asked to create a strong password and provide some other optional information. ``` adduser <yourusername> ``` Grant admin rights to the new user by adding it to the `sudo` group. This will allow the user to perform actions with superuser privileges by typing `sudo` before commands. ``` usermod -aG sudo <yourusername> ``` *Optional:* If you used SSH keys to connect to your Ubuntu instance via the `root` user you will need to associate the new user with the root user’s SSH key data. ``` rsync --archive --chown=<yourusername>:<yourusername> ~/.ssh /home/<yourusername> ``` Finally, log out of `root` and log in as `<yourusername>`. --- # Update the Server Make sure the system is up to date with the latest software and security updates. ``` sudo apt update && sudo apt upgrade -y sudo apt dist-upgrade && sudo apt autoremove sudo reboot ``` --- # Secure the Server Security is important. This is not a comprehensive security guide, just some basic settings and options depending on your level of security tolerance and technical competencies. ## Disable SSH password Authentication and Use SSH keys only > **OPTIONAL**: This section is recommended for advanced users who know how to utilize RSA keypairs to securely log in to remote servers. Otherwise, skip this section and continue to the section: **Modify the Default SSH Port**. Create a new SSH key pair on your local machine. Run this on your local machine. You will be asked to type a file name in which to save the key. This will be your keyname. Generate your RSA keypair on your server. ``` cd ~ ssh-keygen -t rsa -b 4096 ``` ![](https://i.imgur.com/6f6KjYH.png) Press `Enter` to save the key as `id_rsa.pub`. Enter a passphrase if you wish. Transfer the keys to your remote server at `$HOME/.ssh` if you generated the key from another device. :::info **NOTE:** For the command below, replace `<User>` with your login username. Replace `<serverIP>` with your server's IP address. ::: ``` ssh-copy-id -i $HOME/.ssh/id_rsa.pub <User>@<serverIP> ``` Continue connecting if the ECDSA authenticity of the host cannot be established by using `yes`. Then type in your login password. ![](https://i.imgur.com/JXmVt9A.png) Login with your SSH key. ``` ssh <User>@<serverIP> ``` Once confirmed that it works, you can logout. Ensure you copy the necessary private key (id_rsa) to other devices you wish to login from. Disable root login and password based login. Edit the `/etc/ssh/sshd_config` file. ``` sudo nano /etc/ssh/sshd_config ``` Locate **ChallengeResponseAuthentication** and update to no. ``` ChallengeResponseAuthentication no ``` Locate **PasswordAuthentication** update to no. ``` PasswordAuthentication no ``` Locate **PermitRootLogin** and update to prohibit-password. ```c PermitRootLogin prohibit-password ``` Locate **PermitEmptyPasswords** and update to no. ``` PermitEmptyPasswords no ``` Validate the syntax of your new SSH configuration. ``` sudo sshd -t ``` If no errors with the syntax validation, restart the SSH process. ``` sudo systemctl restart sshd ``` Verify the login still works. ``` ssh <User>@<serverIP> -p <CustomPortNumber> ``` > **Optional:** To simplify the ssh command needed to log in to your server, consider updating your local `$HOME/.ssh/config` file: ```ici= Host lodestar-server User <User> HostName <serverIP> Port <Custom Port Number> ``` This will allow you to log in with `ssh lodestar-server` rather than needing to pass through all ssh parameters explicitly. Proceed to **Modify the Default SSH Port**. --- ## Modify the Default SSH Port Port 22 is the default SSH port and a common attack vector. Change the SSH port to avoid this. Choose a port number between 1024–49151 and run the following command and replace `<YourSSHPortNumber>` with the selected port number to check that it is not already in use: ``` sudo ss -tulpn | grep ':<YourSSHPortNumber>' ``` A blank response indicates not in use, a red text response indicates it is in use: try a different port. E.g. `sudo ss -tulpn | grep ':6673'` If confirmed available, modify the default port by updating SSH config. ``` sudo nano /etc/ssh/sshd_config ``` ![](https://i.imgur.com/IynHQrO.png) Find or add (if not present) the line `Port 22` in the file. Remove the # (if present) and change the value as below. ``` Port <YourSSHPortNumber> ``` Check the screen shot below for reference of `Port 123` as an example. Press `CTRL` +`x` then `y` then `Enter` to save and exit. ![](https://i.imgur.com/uu46IVu.png) Restart the SSH service to reflect the above changes. ``` sudo systemctl restart ssh ``` Log out and log back in via SSH using `<YourSSHPortNumber>` for the port. :::info **NOTE:** If you plan to use a password login for your server it is recommended that you also **setup 2-Factor Authentication** or skip to the section: **Disable SSH password Authentication and Use SSH keys only.** ::: --- ## Setup 2-Factor Authentication for your Server > **OPTIONAL:** If you would like added security on top of your password, you can setup Google Authenticator to further protect your server from unauthorized access. Otherwise, skip this section and continue to Install Fail2ban. Install the package required for Google Authenticator. ``` sudo apt install libpam-google-authenticator -y ``` To make SSH use the Google Authenticator PAM module, you will need to edit the file located in `/etc/pam.d/sshd`: ``` sudo nano /etc/pam.d/sshd ``` In the configuration file, add the following line at the bottom of the file: ``` auth required pam_google_authenticator.so ``` Check the screen shot below for reference. Press `CTRL` + `x` then `y` then `Enter` to save and exit. ![](https://i.imgur.com/DihQJyD.png) Now we will restart the `sshd` daemon with the following command: ``` sudo systemctl restart sshd.service ``` We must now modify the `sshd` configuration file located at `/etc/ssh/sshd_config`: ``` sudo nano /etc/ssh/sshd_config ``` We will locate the following parameters and update it to `yes`. Check the screen shot below for reference. ``` ChallengeReponseAuthentication yes UsePAM yes ``` ![](https://i.imgur.com/R3dTdl3.png) Press `CTRL` + `x` then `y` then `Enter` to save and exit. We will now setup Google Authenticator with the following command: ``` google-authenticator ``` You will be asked a series of questions and the recommendated settings are: - Make tokens “time-base”": yes - Update the .google_authenticator file: yes - Disallow multiple uses: yes - Increase the original generation time limit: no - Enable rate-limiting: yes Use the screenshots below as an example reference: ![](https://i.imgur.com/Oh1glHz.png) ![](https://i.imgur.com/TjPgcXR.png) :::danger **WARNING:** The giant QR code that appeared is a representation of your secret key used for your Google Authenticator application. This key is required to generate the proper 6 digit codes you use to verify your 2FA and log into your server. It is ++**VERY IMPORTANT**++ to write down your emergency scratch codes and ++**KEEP THEM SAFE**++ incase you lose access to your phone. ::: Now open Google Authenticator on your phone and add your secret key to make sure you have access to your server after inputting your password. Proceed to **Install Fail2ban**. --- ## Install Fail2ban Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address. ``` sudo apt-get install fail2ban -y ``` Edit the config file that monitors SSH logins: ``` sudo nano /etc/fail2ban/jail.local ``` :::info **Whitelisting IP address tip:** The ignoreip parameter accepts IP addresses, IP ranges or DNS hosts that you can specify to be allowed to connect. This is where you want to specify your local machine, local IP range or local domain, separated by spaces. ```ici= # Example ignoreip = 192.168.1.0/24 127.0.0.1/8 ``` ::: ```ici= [sshd] enabled = true port = <22 or your random port number> filter = sshd logpath = /var/log/auth.log maxretry = 3 # whitelisted IP addresses ignoreip = <list of whitelisted IP address, your local daily laptop/pc> ``` Press `CTRL` + `x` then `y` then `Enter` to save and exit. Restart fail2ban for settings to take effect. ``` sudo systemctl restart fail2ban ``` --- ## Configure the Firewall Ubuntu 20.04 servers can use the default UFW firewall to restrict inbound traffic to the server. Before you enable it allow inbound traffic for SSH, Go Ethereum, and Lodestar. ### Install UFW UFW should be installed by default. The following command will ensure it is. ``` sudo apt install ufw ``` ### Apply UFW Defaults Explicitly apply the defaults. Inbound traffic denied, outbound traffic allowed. ``` sudo ufw default deny incoming sudo ufw default allow outgoing ``` ### Allow SSH Allow inbound traffic on `<YourSSHPortNumber>` as set above. SSH requires the TCP protocol. E.g. `sudo ufw allow 123/tcp` ``` sudo ufw allow <YourSSHPortNumber>/tcp ``` ### Deny SSH Port 22 Deny inbound traffic on Port 22/TCP. :::info **NOTE:** Only do this after you SSH in using `<YourSSHPortNumber>`. ::: ``` sudo ufw deny 22/tcp ``` ### Allow Go Ethereum (Geth) Allow P2P connections with Go Ethereum peers on Port 30303. > **OPTIONAL** If using an Ethereum Execution Node hosted by a [3rd party](https://ethereumnodes.com/), skip this step. :::info **NOTE:** If you are hosting your Ubuntu instance locally, your internet router may need to be ++[configured](https://www.howtogeek.com/66214/how-to-forward-ports-on-your-router/)++ to allow and forward incoming traffic on port 30303 to your server. ::: ``` sudo ufw allow 30303 ``` ### Allow Lodestar Ports Allows P2P connections with Lodestar peers for actions on the beacon node (Port 9000) :::info **NOTE:** If you are hosting your Ubuntu instance locally, your internet router may need to be ++[configured](https://www.howtogeek.com/66214/how-to-forward-ports-on-your-router/)++ to allow and forward incoming traffic on port 9000 to your server. ::: ``` sudo ufw allow 9000 ``` Allow HTTP connections to Prometheus metrics (Port 3000) ``` sudo ufw allow 3000 ``` ### Deny any internal IP addresses (As Required) If you are running Lodestar within a cloud computing environment, you may want to consult with your cloud provider and ensure certain internal IPs are restricted from communication to minimize the risk of you being flagged as an attack/spam/DDOS server. You can use UFW to block those IPs and ports using commands found in this article about [how to block an IP address with UFW](https://www.cyberciti.biz/faq/how-to-block-an-ip-address-with-ufw-on-ubuntu-linux-server/). ### Enable the Firewall Enable the firewall and verify the rules have been correctly configured ``` sudo ufw enable sudo ufw status numbered ``` Check the screenshot below for reference. ![](https://i.imgur.com/tofIANl.png) --- # Configure Timekeeping on the Server Ubuntu has time synchronization built in and activated by default using systemd’s timesyncd service. Verify it’s running correctly. ``` timedatectl ``` The `NTP service` should be `active`. If not then run: ``` sudo timedatectl set-ntp on ``` Check the screenshot below for reference: ![](https://i.imgur.com/MR1MF31.png) You should only be using a single timekeeping service. If you were using NTPD from a previous installation you can check if it exists and remove it using the following commands. ``` ntpq -p sudo apt-get remove ntp ``` # Final Steps You should now have a secured server to work with. You have now completed configuring the Ubuntu server to start working with the software required for Ethereum. Continue on with the guide to setup Lodestar. You have two options for setting up Lodestar: - [Part 3a: Setup Lodestar with Docker Compose](https://hackmd.io/@philknows/HJw1P3FEY) or - ~~Part 3b: Setup Lodestar with Systemd and NPM~~ Coming Soon!:tm: