Ubuntu Linux ethereum validator node basic security hardening guide
Basic Ubuntu / Debian hardening guide, and tips to keep your validator box secure. This guide is for Ubuntu 20.04, 22.04 and Debian 10, 11.
1. Keep System Up-To-Date
This should be obvious but keep your ubuntu box up to date. Log in at least once a week and run updates manually. If a reboot is necessary, verify everything is working correctly before update. If an update is not required for security you may want to hold off for a bit until it’s been tested. If you want a more hands off approach you can install the “unattended-updates” package with the second command below. This will install critical security updates automatically but not feature updates.sudo apt update && sudo apt upgrade
sudo apt install unattended-updates
2. System Accounts
The best place to start is ensuring your user accounts are locked down.2a. Ensure Only root Has UID of 0
Accounts with a UID of 0 have the highest access to the system. UID0 should only be for the root account. Check to see what accounts have a UID0:sudo awk -F: '($3=="0"){print}' /etc/passwd2b. Ensure no empty passwords
Accounts that have no password are essentially wide open. Even if this account doesn’t have any special permissions it can be used in a privilege escalation attack. Make sure all accounts have a passwordsudo cat /etc/shadow | awk -F: '($2==""){print $1}'2c. Lock Accounts
If you find a user account with no password and don’t want to delete it for fear of breaking something, you can “lock” the account by appending an “!” to the end of the password hash. That tells linux it’s locked.sudo passwd -l accountName
2d. Adding New User Accounts
This is standard practice on ubuntu but you should never operate from the root account. Make sure you have a regular user account created. This will automatically create a user account with the most basic
permissions. You can set those permissions for every new account
creation in the “/etc/skel” file.sudo adduser accountName
2e. Sudo Configuration
Sudo allows regular users to run commands “as root” or with elevated permissions. This is the most secure way of making changes to the system. Sudo is very versatile with lots of options. Use the “Visudo” command to change sudo options. Some common options that may help you with security are below. Especially the IP address and allows commands. Be careful not to lock your own account out accidentally.%www – All users of the www group
ALL= – From any Host/IP
(ALL) – can run as any user
NOPASSWD – No password required (omit to require a password)
:/bin/cat,/bin/ls – Commands able to run as sudo. In this case, “cat” and “ls”3. The Firewall
IpTables is pretty much the standard for firewall applications in the *nix world. It’s lightweight and very configurable. You should limit all ports except the ones you need for your validator and possibly SSH. For example, if you only want local access to the validator box without remote SSH login you could close the SSH port with the following command:sudo ufw deny 22/tcp
4. SSH
This is the largest “hole” in your server setup. It allows remote terminal access to your validator. This must be locked down and secured as much as possible. All options can be changed in the “/etc/ssh/sshd_config” file.4a. Disable root Login
Find the line for “PermitRootLogin” and change it to “no” like belowPermitRootLogin no
4b. Allow Specific Users
This line allows you to set specific user accounts that are allowed to use SSH. It’s a good idea to set this to only your user account.AllowUsers userName
4c. Change Default Port
Change your default SSH port to something other than 22. This is more security through obscurity as the port can still be found, but automated scanning bots typically scan the most common ports and quit to save time. Setting your SSH port high in the port range will prevent a lot of common port scanning bots from discovering your SSH port.!Important! Be sure to open this new port on your firewall “ufw allow 22222/tcp” before restarting SSHD or you will be locked out from remote access.
Port 22222
4d. Disable Empty Passwords
You don’t want anyone logging in with no password, so lets go ahead and fix thatPermitEmptyPasswords no
4e. Disable X11 Forwarding
X11Forwarding no
4f. Set a maximum number of tries
MaxAuthTries 3
More useful commands
1. Display All Current Connections, Listening Services, and Processes Handling Them
Your best friend for Linux server administrationnetstat -tulpn
2. Display Services and Their Status
This will list all services on the system and their statusservice --status-all
Or to only show running services use grep
service --status-all | grep "[ + ]"
3. Install RKHunter to scan for common rootkits
apt-get install rkhunter
rkhunter -C4. Log Locations
Below are the common default log locations:/var/log/message — Where whole system logs or current activity logs are available.
/var/log/auth.log — Authentication logs.
/var/log/kern.log — Kernel logs.
/var/log/cron.log — Crond logs (cron job).
/var/log/maillog — Mail server logs.
/var/log/boot.log — System boot log.
/var/log/mysqld.log — MySQL database server log file.
/var/log/secure — Authentication log.
/var/log/utmp or /var/log/wtmp — Login records file.
/var/log/apt — Apt package manager logsPlease note this is a very basic security guide and server management primer and will not ensure your security from sophisticated attackers. These basic practices should slow them down and prevent you from being an easy target however. Hope this helps keep your validator safe and secure!
- 2 Replies
L3: A Person This is a pretty good guide. The commands should be updated from ‘apt-get’ to just ‘apt’ though. @JBM, your age is showing again. 😂
L0
EIP
EVM
L4: Noob LOL! I guess I am. Thanks, I’ll get Zombie to update it
