Try   HackMD

Lodestar Setup Guide v2 - Part 2: Set up and Secure your Server

Last Updated: January 17, 2022

Table of Contents

This is Part 2 of a step-by-step guide to setup the ChainSafe Lodestar consensus client on the Ethereum Beacon Chain.

This guide is separated into a series of parts, grouped by related steps to setup a full Lodestar consensus beacon node and validator client from start to finish. The topics are separated as follows:

Overview

This section of the guide will help you setup and secure your local Ubuntu staking computer.

Using a SSH client, connect to your Ubuntu server through Port 22 (default). If you are logged in as root then create a user-level account with admin privileges instead, since logging in as the root user is risky.

NOTE: If you are not logged in as root then skip Create New User and go to the next step: Update the Server.

Create New User

Create a new user. Replace <yourusername> with a username of your choice. You will asked to create a strong password and provide some other optional information.

adduser <yourusername>

Grant admin rights to the new user by adding it to the sudo group. This will allow the user to perform actions with superuser privileges by typing sudo before commands.

usermod -aG sudo <yourusername>

Optional: If you used SSH keys to connect to your Ubuntu instance via the root user you will need to associate the new user with the root user’s SSH key data.

rsync --archive --chown=<yourusername>:<yourusername> ~/.ssh /home/<yourusername>

Finally, log out of root and log in as <yourusername>.

Update the Server

Make sure the system is up to date with the latest software and security updates.

sudo apt update && sudo apt upgrade -y
sudo apt dist-upgrade && sudo apt autoremove
sudo reboot

Secure the Server

Security is important. This is not a comprehensive security guide, just some basic settings and options depending on your level of security tolerance and technical competencies.

Disable SSH password Authentication and Use SSH keys only

OPTIONAL: This section is recommended for advanced users who know how to utilize RSA keypairs to securely log in to remote servers. Otherwise, skip this section and continue to the section: Modify the Default SSH Port.

Create a new SSH key pair on your local machine. Run this on your local machine. You will be asked to type a file name in which to save the key. This will be your keyname.

Generate your RSA keypair on your server.

cd ~
ssh-keygen -t rsa -b 4096

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Press Enter to save the key as id_rsa.pub.

Enter a passphrase if you wish.

Transfer the keys to your remote server at $HOME/.ssh if you generated the key from another device.

NOTE: For the command below, replace <User> with your login username. Replace <serverIP> with your server's IP address.

ssh-copy-id -i $HOME/.ssh/id_rsa.pub <User>@<serverIP>

Continue connecting if the ECDSA authenticity of the host cannot be established by using yes. Then type in your login password.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Login with your SSH key.

ssh <User>@<serverIP>

Once confirmed that it works, you can logout. Ensure you copy the necessary private key (id_rsa) to other devices you wish to login from.

Disable root login and password based login. Edit the /etc/ssh/sshd_config file.

sudo nano /etc/ssh/sshd_config

Locate ChallengeResponseAuthentication and update to no.

ChallengeResponseAuthentication no

Locate PasswordAuthentication update to no.

PasswordAuthentication no

Locate PermitRootLogin and update to prohibit-password.

PermitRootLogin prohibit-password

Locate PermitEmptyPasswords and update to no.

PermitEmptyPasswords no

Validate the syntax of your new SSH configuration.

sudo sshd -t

If no errors with the syntax validation, restart the SSH process.

sudo systemctl restart sshd

Verify the login still works.

ssh <User>@<serverIP> -p <CustomPortNumber>

Optional: To simplify the ssh command needed to log in to your server, consider updating your local $HOME/.ssh/config file:





Host lodestar-server
  User <User>
  HostName <serverIP>
  Port <Custom Port Number>

This will allow you to log in with ssh lodestar-server rather than needing to pass through all ssh parameters explicitly.

Proceed to Modify the Default SSH Port.

Modify the Default SSH Port

Port 22 is the default SSH port and a common attack vector. Change the SSH port to avoid this.

Choose a port number between 1024–49151 and run the following command and replace <YourSSHPortNumber> with the selected port number to check that it is not already in use:

sudo ss -tulpn | grep ':<YourSSHPortNumber>'

A blank response indicates not in use, a red text response indicates it is in use: try a different port. E.g. sudo ss -tulpn | grep ':6673'

If confirmed available, modify the default port by updating SSH config.

sudo nano /etc/ssh/sshd_config



Find or add (if not present) the line Port 22 in the file. Remove the # (if present) and change the value as below.

Port <YourSSHPortNumber>

Check the screen shot below for reference of Port 123 as an example. Press CTRL +x then y then Enter to save and exit.



Restart the SSH service to reflect the above changes.

sudo systemctl restart ssh

Log out and log back in via SSH using <YourSSHPortNumber> for the port.

NOTE: If you plan to use a password login for your server it is recommended that you also setup 2-Factor Authentication or skip to the section: Disable SSH password Authentication and Use SSH keys only.

Setup 2-Factor Authentication for your Server

OPTIONAL: If you would like added security on top of your password, you can setup Google Authenticator to further protect your server from unauthorized access. Otherwise, skip this section and continue to Install Fail2ban.

Install the package required for Google Authenticator.

sudo apt install libpam-google-authenticator -y

To make SSH use the Google Authenticator PAM module, you will need to edit the file located in /etc/pam.d/sshd:

sudo nano /etc/pam.d/sshd

In the configuration file, add the following line at the bottom of the file:

auth required pam_google_authenticator.so

Check the screen shot below for reference. Press CTRL + x then y then Enter to save and exit.



Now we will restart the sshd daemon with the following command:

sudo systemctl restart sshd.service

We must now modify the sshd configuration file located at /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config

We will locate the following parameters and update it to yes. Check the screen shot below for reference.

ChallengeReponseAuthentication yes

UsePAM yes




Press CTRL + x then y then Enter to save and exit.

We will now setup Google Authenticator with the following command:

google-authenticator

You will be asked a series of questions and the recommendated settings are:

  • Make tokens “time-base”": yes
  • Update the .google_authenticator file: yes
  • Disallow multiple uses: yes
  • Increase the original generation time limit: no
  • Enable rate-limiting: yes

Use the screenshots below as an example reference:



WARNING: The giant QR code that appeared is a representation of your secret key used for your Google Authenticator application. This key is required to generate the proper 6 digit codes you use to verify your 2FA and log into your server. It is VERY IMPORTANT to write down your emergency scratch codes and KEEP THEM SAFE incase you lose access to your phone.

Now open Google Authenticator on your phone and add your secret key to make sure you have access to your server after inputting your password.

Proceed to Install Fail2ban.

Install Fail2ban

Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.

sudo apt-get install fail2ban -y

Edit the config file that monitors SSH logins:

sudo nano /etc/fail2ban/jail.local

Whitelisting IP address tip: The ignoreip parameter accepts IP addresses, IP ranges or DNS hosts that you can specify to be allowed to connect. This is where you want to specify your local machine, local IP range or local domain, separated by spaces.



# Example
ignoreip = 192.168.1.0/24 127.0.0.1/8









[sshd]
enabled = true
port = <22 or your random port number>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
# whitelisted IP addresses
ignoreip = <list of whitelisted IP address, your local daily laptop/pc>

Press CTRL + x then y then Enter to save and exit.

Restart fail2ban for settings to take effect.

sudo systemctl restart fail2ban

Configure the Firewall

Ubuntu 20.04 servers can use the default UFW firewall to restrict inbound traffic to the server. Before you enable it allow inbound traffic for SSH, Go Ethereum, and Lodestar.

Install UFW

UFW should be installed by default. The following command will ensure it is.

sudo apt install ufw

Apply UFW Defaults

Explicitly apply the defaults. Inbound traffic denied, outbound traffic allowed.

sudo ufw default deny incoming
sudo ufw default allow outgoing

Allow SSH

Allow inbound traffic on <YourSSHPortNumber> as set above. SSH requires the TCP protocol. E.g. sudo ufw allow 123/tcp

sudo ufw allow <YourSSHPortNumber>/tcp

Deny SSH Port 22

Deny inbound traffic on Port 22/TCP.

NOTE: Only do this after you SSH in using <YourSSHPortNumber>.

sudo ufw deny 22/tcp

Allow Go Ethereum (Geth)

Allow P2P connections with Go Ethereum peers on Port 30303.

OPTIONAL If using an Ethereum Execution Node hosted by a 3rd party, skip this step.

NOTE: If you are hosting your Ubuntu instance locally, your internet router may need to be configured to allow and forward incoming traffic on port 30303 to your server.

sudo ufw allow 30303

Allow Lodestar Ports

Allows P2P connections with Lodestar peers for actions on the beacon node (Port 9000)

NOTE: If you are hosting your Ubuntu instance locally, your internet router may need to be configured to allow and forward incoming traffic on port 9000 to your server.

sudo ufw allow 9000

Allow HTTP connections to Prometheus metrics (Port 3000)

sudo ufw allow 3000

Deny any internal IP addresses (As Required)

If you are running Lodestar within a cloud computing environment, you may want to consult with your cloud provider and ensure certain internal IPs are restricted from communication to minimize the risk of you being flagged as an attack/spam/DDOS server.

You can use UFW to block those IPs and ports using commands found in this article about how to block an IP address with UFW.

Enable the Firewall

Enable the firewall and verify the rules have been correctly configured

sudo ufw enable
sudo ufw status numbered

Check the screenshot below for reference.

Configure Timekeeping on the Server

Ubuntu has time synchronization built in and activated by default using systemd’s timesyncd service. Verify it’s running correctly.

timedatectl

The NTP service should be active. If not then run:

sudo timedatectl set-ntp on

Check the screenshot below for reference:




You should only be using a single timekeeping service. If you were using NTPD from a previous installation you can check if it exists and remove it using the following commands.

ntpq -p
sudo apt-get remove ntp

Final Steps

You should now have a secured server to work with. You have now completed configuring the Ubuntu server to start working with the software required for Ethereum.

Continue on with the guide to setup Lodestar. You have two options for setting up Lodestar:

Last changed by 
Phil Ngo
0
1
1107

Read more

Lodestar Holesky Rescue Retrospective

Holesky hard-forked as scheduled on Epoch 115968 at 2025-02-24 21:55:12 UTC. During the transition, some of the Lodestar Holesky genesis validators (index 695000-794999) on v1.27.0 failed to properly sync through the hard fork and started to miss block proposals due to an unlikely and isolated edge-case withdrawal credentials bug which would cause a state mismatch and corrupt the database, but fixed in v1.27.1 (released approximately 5 hours before the fork). Although it was determined that both versions of v1.27.0 and v1.27.1 would still be compatible for the Pectra hard, it was recommended to wipe the database and upgrade to v1.27.1 to repair the issue if isolated nodes were stuck past the hard fork.

Mar 24, 2025
Lodestar Quick Setup Guide with @ChainSafe/lodestar-quickstart scripts

Last Updated: February 13, 2023

Aug 9, 2024
EIP-7251 MaxEB Breakout Call #4 - April 3, 2024

Mikhail: No custom ceilings

Apr 11, 2024
EIP-7251 MaxEB Breakout Call #5 - Apr 9, 2024

Next call: Tuesday Apr 16 @ 1200 UTC

Apr 10, 2024
Read more from Phil Ngo
Published on HackMD