web3 forums

web3 and ethereum community forums

Guest Homepage Forums Vampire Hunters Ubuntu Linux ethereum validator node basic security hardening guide

  • Ubuntu Linux ethereum validator node basic security hardening guide

    Posted by zombieducklings on August 23, 2022 at 9:32 am

    Basic Ubuntu / Debian hardening guide, and tips to keep your validator box secure. This guide is for Ubuntu 20.04, 22.04 and Debian 10, 11.

    1. Keep System Up-To-Date
    This should be obvious but keep your ubuntu box up to date. Log in at least once a week and run updates manually. If a reboot is necessary, verify everything is working correctly before update. If an update is not required for security you may want to hold off for a bit until it’s been tested. If you want a more hands off approach you can install the “unattended-updates” package with the second command below. This will install critical security updates automatically but not feature updates.

    sudo apt update && sudo apt upgrade
    sudo apt install unattended-updates

    2. System Accounts
    The best place to start is ensuring your user accounts are locked down.

    2a. Ensure Only root Has UID of 0
    Accounts with a UID of 0 have the highest access to the system. UID0 should only be for the root account. Check to see what accounts have a UID0:

    sudo awk -F: '($3=="0"){print}' /etc/passwd

    2b. Ensure no empty passwords
    Accounts that have no password are essentially wide open. Even if this account doesn’t have any special permissions it can be used in a privilege escalation attack. Make sure all accounts have a password

    sudo cat /etc/shadow | awk -F: '($2==""){print $1}'

    2c. Lock Accounts
    If you find a user account with no password and don’t want to delete it for fear of breaking something, you can “lock” the account by appending an “!” to the end of the password hash. That tells linux it’s locked.

    sudo passwd -l accountName

    2d. Adding New User Accounts
    This is standard practice on ubuntu but you should never operate from the root account. Make sure you have a regular user account created. This will automatically create a user account with the most basic
    permissions. You can set those permissions for every new account
    creation in the “/etc/skel” file.

    sudo adduser accountName

    2e. Sudo Configuration
    Sudo allows regular users to run commands “as root” or with elevated permissions. This is the most secure way of making changes to the system. Sudo is very versatile with lots of options. Use the “Visudo” command to change sudo options. Some common options that may help you with security are below. Especially the IP address and allows commands. Be careful not to lock your own account out accidentally.

    %www – All users of the www group
    ALL= – From any Host/IP
    (ALL) – can run as any user
    NOPASSWD – No password required (omit to require a password)
    :/bin/cat,/bin/ls – Commands able to run as sudo. In this case, “cat” and “ls”

    3. The Firewall
    IpTables is pretty much the standard for firewall applications in the *nix world. It’s lightweight and very configurable. You should limit all ports except the ones you need for your validator and possibly SSH. For example, if you only want local access to the validator box without remote SSH login you could close the SSH port with the following command:

    sudo ufw deny 22/tcp

    4. SSH
    This is the largest “hole” in your server setup. It allows remote terminal access to your validator. This must be locked down and secured as much as possible. All options can be changed in the “/etc/ssh/sshd_config” file.

    4a. Disable root Login
    Find the line for “PermitRootLogin” and change it to “no” like below

    PermitRootLogin no

    4b. Allow Specific Users
    This line allows you to set specific user accounts that are allowed to use SSH. It’s a good idea to set this to only your user account.

    AllowUsers userName

    4c. Change Default Port
    Change your default SSH port to something other than 22. This is more security through obscurity as the port can still be found, but automated scanning bots typically scan the most common ports and quit to save time. Setting your SSH port high in the port range will prevent a lot of common port scanning bots from discovering your SSH port.

    !Important! Be sure to open this new port on your firewall “ufw allow 22222/tcp” before restarting SSHD or you will be locked out from remote access.

    Port 22222

    4d. Disable Empty Passwords
    You don’t want anyone logging in with no password, so lets go ahead and fix that

    PermitEmptyPasswords no

    4e. Disable X11 Forwarding

    X11Forwarding no

    4f. Set a maximum number of tries

    MaxAuthTries 3

    More useful commands

    1. Display All Current Connections, Listening Services, and Processes Handling Them
    Your best friend for Linux server administration

    netstat -tulpn

    2. Display Services and Their Status
    This will list all services on the system and their status

    service --status-all

    Or to only show running services use grep

    service --status-all | grep "[ + ]"

    3. Install RKHunter to scan for common rootkits

    apt-get install rkhunter
    rkhunter -C

    4. Log Locations
    Below are the common default log locations:

    /var/log/message — Where whole system logs or current activity logs are available.
    /var/log/auth.log — Authentication logs.
    /var/log/kern.log — Kernel logs.
    /var/log/cron.log — Crond logs (cron job).
    /var/log/maillog — Mail server logs.
    /var/log/boot.log — System boot log.
    /var/log/mysqld.log — MySQL database server log file.
    /var/log/secure — Authentication log.
    /var/log/utmp or /var/log/wtmp — Login records file.
    /var/log/apt — Apt package manager logs

    Please note this is a very basic security guide and server management primer and will not ensure your security from sophisticated attackers. These basic practices should slow them down and prevent you from being an easy target however. Hope this helps keep your validator safe and secure!

    JBMaclemore.eth replied 5 months, 2 weeks ago 3 Members · 2 Replies
  • 2 Replies
  • automaton

    October 14, 2022 at 3:22 pm
    strata level 3 icon L3: A Person

    This is a pretty good guide. The commands should be updated from ‘apt-get’ to just ‘apt’ though. @JBM, your age is showing again. 😂

    • JBMaclemore.eth

      October 15, 2022 at 4:41 pm
      layer0 holder L0 panda holder EIP evm badge EVM
      strata level 4 rank icon L4: Noob

      LOL! I guess I am. Thanks, I’ll get Zombie to update it