Validator Security Tips
Helpful information to keep your validating node secure
This section will teach you about improving the security of your validator. As a validator you play a crucial role in securing and decentralizing the Harmony network. The security of the network is compounded as a sum of all validator's security. Therefore is very important that every single piece in the chain is as secure as possible.
Depending on your configuration, if you have the BLS key on your validator server and maybe also the password to decrypt it, for example in order to restart your node automatically, it is strongly recommended that you secure the access to your validator as much as possible.
Using 2FA and other security measures can substantially improve the overall security of your validator. The state of the art for 2FA is to use a HSM module like YubiKey.
Very important: it is highly recommended to have two YubiKeys associated to ensure one is not locked out in case a YubiKey is lost, stolen, or breaks.
In case you find YubiKey an expensive solution, other methods for 2FA can be used, like your phone or authenticator apps for example.
Very important: Be aware that SMS based 2FA authentication methods are not secure and not recommended as one could hijack your smartphone’s SIM. Doing this hackers can redirect any two-factor notifications to their own devices.

What are and why use HSM modules?

Hardware Security Modules (HSMs) generate, manage and store the secure cryptographic keys that are required for authenticating an user or device in a broader network. Malware attacks and remote extraction of private keys are much more difficult when a HSM module is configured properly. When you have your private key on your validator that is secured only by a password, an attacker can simply copy your private key and sign malicious transactions or generate double signs which can result for example in stake slashing or other unwanted operations on your node. By using Two-Factor Authenticator (2FA) and HSM module, you are strengthening the authentication on your Virtual Private Server (VPS). There are many options for 2FA but is recommended that you actually use a HSM module like YubiKey for this. Even better would be to use certificate in combination with a HSM module in order to authenticate and disable password login.

How can I secure the access to my VPS better?

1. Add Two-factor Authenticator to your VPS provider if it is allowed.

Serious VPS providers allow this already and also to use a HSM module like YubiKey. This guide focuses on Vultr but the documentation for YubiKey activation can be found in the documentation of different VPS providers, e.g. Hetzner: https://wiki.hetzner.de/index.php/KonsoleH:Zwei-Faktor-Authentifizierung/en
Activate 2FA with YubiYey for Vultr
In order to use YubiKey Authentication, you need any of Yubico’s Yubikey USB devices. Next, you would need to login to your Vultr Account: Click Account -> Authentication -> Manage Two Factor Auth: https://my.vultr.com/settings/twofactor/
Under Add new authentication method, select YubiKey, enter a description of your choice in the next field, then click Add.
In the next page, you will need to make sure your YubiKey device is plugged into one of your USB Ports on your computer. You will be presented with a text field in which you need to click, then press the button(s) on your YubiKey Device, or touch the edge of the device if you’re using a YubiKey Nano, then click Update.
In the next page, you will need to repeat the previous step to re-enter a secondary token, then click Update.
When you are finished, log out of your Vultr account. Then attempt to log back in. You will be asked to enter an authentication code. Insert the YubiKey device in one of your computer’s USB ports, and either press the button(s) or touch the edge of the device.

2. Create a SSH Public-Private Key pair for your VPS and assign the Public Key to the VPS.

On Windows you can use for example PuttyGen to generate your SSH Public-Private Key pair. Setting a passphrase is advisable as it offers another layer of security if your ssh keys will be compromised.
Popular algorithms for creating SSH Keys:
RSA: It depends on key size. It is recommend to have 3072 or even better 4096-bit length. The 1024-bit length is considered unsafe.
Ed25519: It’s the most recommended public-key algorithm available today but you have to check with the cloud provider, e.g. Vultr, Hetzner, AWS if is supporting this.
To generate the SSH keys on macOS or Linux, use the Terminal and the command below.
1
ssh-keygen -t rsa
Copied!
If your VPS doesn't support automatically the SSH authentification at the creation, you can add manually your SSH key to your server later on.
1
ssh-copy-id -i ~/.ssh/<your-key> <your-username>@<your-hostname>
Copied!
Then, on your server, edit the "sshd_config" file to disable the password authentification.
1
ChallengeResponseAuthentication no
2
PasswordAuthentication no
3
PermitEmptyPasswords no
4
UsePAM no
Copied!
Restart the sshd service.
1
service sshd restart
Copied!
Login to your server using your ssh key.
1
ssh -i ~/.ssh/<your-key> <your-username>@<your-hostname>
Copied!

3. Use SSH Private Key and not password to authenticate on your VPS

4. If you received any root password after creating your VPS, change it

1
passwd
Copied!
Make sure to back-up this password and also be aware where you place it so that it won’t get stolen.
Very important: For holding passwords, keywords, etc. an encrypted hardware device and paper wallets are recommended. It is not recommended to hold passwords or keywords on a hot storage like your personal computer or notebook.

5. Once logged in, update your OS

For Debian based systems like Ubuntu or Debian use the command below:
1
sudo apt-get update && sudo apt-get upgrade
Copied!
For Amazon Linux use the command below:
1
sudo yum update
Copied!

6. Create a separate user than root for your application

It is not recommended to use directly the root user on your VPS. Therefore create a new user:
1
adduser <your-username>
Copied!
Add the newly created <your-username> user to the sudo group:
1
adduser <your-username> sudo
Copied!
You can switch to the new user with the following command:
1
sudo -u <your-username> -i
Copied!

7. Create the necessary setup so that the new created user can login using certificate

1
sudo mkdir -p "/home/<your-username>/.ssh"
2
sudo chmod 0700 "/home/<your-username>/.ssh"
3
sudo chown "<your-username>:<your-username>" "/home/<your-username>/.ssh"
Copied!
Add the public key to your new created user
1
sudo nano "/home/<your-username>/.ssh/authorized_keys"
2
sudo ls "/home/<your-username>/.ssh" -l
3
sudo chown "<your-username>:<your-username>" "/home/<your-username>/.ssh/authorized_keys"
4
sudo chmod 0600 "/home/<your-username>/.ssh/authorized_keys"
Copied!

8. Setup Yubikey 2FA on Debian based systems like Ubuntu and strengthen the general authentication

First add the PPA and install the library.
1
sudo add-apt-repository ppa:yubico/stable
2
sudo apt-get update
3
sudo apt-get install libpam-yubico
Copied!
Let’s add pam settings for SSH.
1
sudo nano /etc/pam.d/sshd
Copied!
Add the following line at the top to enable the module:
1
auth sufficient pam_yubico.so id=[Your API Client ID] key=[Your API Client Key] authfile=/etc/yubikey_mappings
Copied!
You can use the following link in order to get the API Client ID and the API Client Key: https://upgrade.yubico.com/getapikey/
To improve the security you should comment the following line out:
1
@include common-auth
Copied!
This way the YubiKey is required to authenticate without a possibility to fall back to providing the password.
Result:
Save the file and exit -> press Ctrl+X and then press “y”
Next step is to create a mapping file where you define which YubiKey device is assigned to which user of your VPS.
The mapping file contains users and YubiKey identifiers. The YubiKey identifiers are always the first 12 characters of the generated YubiKey token. In order to generate the YubiKey token you just tap your YubiKey. Then you select its first 12 characters. In case you have multiple YubiKeys you can also add multiple.
1
sudo nano /etc/yubikey_mappings
Copied!
Add the mappings for each user:
1
<user1:<first 12 characters of yubikey1>:<first 12 characters of yubikey2>
2
<user2>:<first 12 characters of yubikey1>
Copied!
Save the file and exit -> press Ctrl+X and then press “y”
Next step is to update sshd_config file to authenticate via public key and pam.
1
sudo nano /etc/ssh/sshd_config
Copied!
Following changes need to be made:
  • Enable challenge response authentication by changing it to “yes”
    ChallengeResponseAuthentication yes
  • Add a new line that sets the Authentication Methods to require first the public key to be valid and then the YubiKey token for each user.
    AuthenticationMethods publickey,keyboard-interactive:pam
  • UsePAM yes
  • Disable the password authentication by removing “#” in front of this line:
    PasswordAuthentication and set the value from yes to no
  • Disable root authentication - if you have created a separate user for your application, deployments, etc. you can also disable the SSH root user access, which will add an extra layer of security to your VPS. Find the line PermitRootLogin, remove the comment sign “#” from the beginning of it and set the value to no
  • Change your SSH port from 22 to another one, for example 2225.
    Don’t use any of the ports in this list: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers , as they are already being used.
Example sshd_config file - take it only as reference to see the security changes and don't copy it!
1
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
2
3
# This is the sshd server system-wide configuration file. See
4
# sshd_config(5) for more information.
5
6
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7
8
# The strategy used for options in the default sshd_config shipped with
9
# OpenSSH is to specify options with their default value where
10
# possible, but leave them commented. Uncommented options override the
11
# default value.
12
13
Port 2225
14
#AddressFamily any
15
#ListenAddress 0.0.0.0
16
#ListenAddress ::
17
18
#HostKey /etc/ssh/ssh_host_rsa_key
19
#HostKey /etc/ssh/ssh_host_ecdsa_key
20
#HostKey /etc/ssh/ssh_host_ed25519_key
21
22
# Ciphers and keying
23
#RekeyLimit default none
24
25
# Logging
26
#SyslogFacility AUTH
27
#LogLevel INFO
28
29
# Authentication:
30
AuthenticationMethods publickey,keyboard-interactive:pam
31
32
33
#LoginGraceTime 2m
34
PermitRootLogin no
35
#StrictModes yes
36
#MaxAuthTries 6
37
#MaxSessions 10
38
39
#PubkeyAuthentication yes
40
41
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
42
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
43
44
#AuthorizedPrincipalsFile none
45
46
#AuthorizedKeysCommand none
47
#AuthorizedKeysCommandUser nobody
48
49
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
50
#HostbasedAuthentication no
51
# Change to yes if you don't trust ~/.ssh/known_hosts for
52
# HostbasedAuthentication
53
#IgnoreUserKnownHosts no
54
# Don't read the user's ~/.rhosts and ~/.shosts files
55
#IgnoreRhosts yes
56
57
# To disable tunneled clear text passwords, change to no here!
58
PasswordAuthentication no
59
#PermitEmptyPasswords no
60
61
# Change to yes to enable challenge-response passwords (beware issues with
62
# some PAM modules and threads)
63
ChallengeResponseAuthentication yes
64
65
# Kerberos options
66
#KerberosAuthentication no
67
#KerberosOrLocalPasswd yes
68
#KerberosTicketCleanup yes
69
#KerberosGetAFSToken no
70
71
# GSSAPI options
72
#GSSAPIAuthentication no
73
#GSSAPICleanupCredentials yes
74
#GSSAPIStrictAcceptorCheck yes
75
#GSSAPIKeyExchange no
76
77
# Set this to 'yes' to enable PAM authentication, account processing,
78
# and session processing. If this is enabled, PAM authentication will
79
# be allowed through the ChallengeResponseAuthentication and
80
# PasswordAuthentication. Depending on your PAM configuration,
81
# PAM authentication via ChallengeResponseAuthentication may bypass
82
# the setting of "PermitRootLogin without-password".
83
# If you just want the PAM account and session checks to run without
84
# PAM authentication, then enable this but set PasswordAuthentication
85
# and ChallengeResponseAuthentication to 'no'.
86
UsePAM yes
87
88
#AllowAgentForwarding yes
89
#AllowTcpForwarding yes
90
#GatewayPorts no
91
X11Forwarding yes
92
#X11DisplayOffset 10
93
#X11UseLocalhost yes
94
#PermitTTY yes
95
PrintMotd no
96
#PrintLastLog yes
97
#TCPKeepAlive yes
98
#UseLogin no
99
#PermitUserEnvironment no
100
#Compression delayed
101
#ClientAliveInterval 0
102
#ClientAliveCountMax 3
103
#UseDNS no
104
#PidFile /var/run/sshd.pid
105
#MaxStartups 10:30:100
106
#PermitTunnel no
107
#ChrootDirectory none
108
#VersionAddendum none
109
110
# no default banner path
111
#Banner none
112
113
# Allow client to pass locale environment variables
114
AcceptEnv LANG LC_*
115
116
# override default of no subsystems
117
Subsystem sftp /usr/lib/openssh/sftp-server
118
119
# Example of overriding settings on a per-user basis
120
#Match User anoncvs
121
# X11Forwarding no
122
# AllowTcpForwarding no
123
# PermitTTY no
124
# ForceCommand cvs server
Copied!
Save the file and exit -> press Ctrl+X and then press “y”
Finally restart the sshd service to update the settings.
1
service sshd restart
Copied!
Test the configuration It is recommended to keep the current session active. In case something went wrong, you will still have access to your VPS and be able to make changes.
Create a new ssh connection and check if the SSH login with certificate and YubiKey works. First the certificate will be used and then you will be prompted for YubiKey. Once this is the case just tap your YubiKey to enter your token and login.
Example:
9. Install fail2ban to reduce brute force attacks
1
sudo apt-get install -y fail2ban
Copied!
Start and enable the service
1
sudo systemctl start fail2ban
2
sudo systemctl enable fail2ban
Copied!
It is recommended to use a separate jail.local file to actually read your own configuration. For that first you have to copy the basic configuration jail.conf to the local one jail.local. The new file jail.local will override the original settings in jail.conf.
1
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Copied!
Edit the file jail.local
1
sudo nano /etc/fail2ban/jail.local
Copied!
1
Enter your desired configuration, for example:
2
[sshd]
3
enabled = true
4
port = 22
5
filter = sshd
6
logpath = /var/log/auth.log
7
maxretry = 5
Copied!
This configuration will block an IP address that is being used to log into your VPS via SSH, port 22 and fails for 5 times.
Save and close the file -> press Ctrl+X and then press “y”
Restart fail2ban to activate the settings
1
sudo systemctl restart fail2ban
Copied!
10. Configure system firewall with IPtables More about it can be found here: https://www.tecmint.com/linux-iptables-firewall-rules-examples-commands/ 11. Monitor and manage your system and process by using htop
Install htop
1
sudo apt-get install htop
Copied!
Run htop
1
htop
Copied!
11. Deactivate VNC (Contabo)
Some cloud providers (such as Contabo) have the VNC option activated by default. It is recommended to disable it if you don't use it.
Here the VNC option is disabled
Last modified 5d ago