Helpful information to keep your validating node secure
This section will teach you about improving the security of your validator. As a validator you play a crucial role in securing and decentralizing the Harmony network. The security of the network is compounded as a sum of all validator's security. Therefore is very important that every single piece in the chain is as secure as possible.
Depending on your configuration, if you have the BLS key on your validator server and maybe also the password to decrypt it, for example in order to restart your node automatically, it is strongly recommended that you secure the access to your validator as much as possible.
Using 2FA and other security measures can substantially improve the overall security of your validator. The state of the art for 2FA is to use a HSM module like YubiKey.
Very important: it is highly recommended to have two YubiKeys associated to ensure one is not locked out in case a YubiKey is lost, stolen, or breaks.
In case you find YubiKey an expensive solution, other methods for 2FA can be used, like your phone or authenticator apps for example.
Very important: Be aware that SMS based 2FA authentication methods are not secure and not recommended as one could hijack your smartphone’s SIM. Doing this hackers can redirect any two-factor notifications to their own devices.
Hardware Security Modules (HSMs) generate, manage and store the secure cryptographic keys that are required for authenticating an user or device in a broader network. Malware attacks and remote extraction of private keys are much more difficult when a HSM module is configured properly. When you have your private key on your validator that is secured only by a password, an attacker can simply copy your private key and sign malicious transactions or generate double signs which can result for example in stake slashing or other unwanted operations on your node. By using Two-Factor Authenticator (2FA) and HSM module, you are strengthening the authentication on your Virtual Private Server (VPS). There are many options for 2FA but is recommended that you actually use a HSM module like YubiKey for this. Even better would be to use certificate in combination with a HSM module in order to authenticate and disable password login.
Serious VPS providers allow this already and also to use a HSM module like YubiKey. This guide focuses on Vultr but the documentation for YubiKey activation can be found in the documentation of different VPS providers, e.g. Hetzner: https://wiki.hetzner.de/index.php/KonsoleH:Zwei-Faktor-Authentifizierung/en
Activate 2FA with YubiYey for Vultr
In order to use YubiKey Authentication, you need any of Yubico’s Yubikey USB devices. Next, you would need to login to your Vultr Account: Click Account -> Authentication -> Manage Two Factor Auth: https://my.vultr.com/settings/twofactor/
Under Add new authentication method, select YubiKey, enter a description of your choice in the next field, then click Add.
In the next page, you will need to make sure your YubiKey device is plugged into one of your USB Ports on your computer. You will be presented with a text field in which you need to click, then press the button(s) on your YubiKey Device, or touch the edge of the device if you’re using a YubiKey Nano, then click Update.
In the next page, you will need to repeat the previous step to re-enter a secondary token, then click Update.
When you are finished, log out of your Vultr account. Then attempt to log back in. You will be asked to enter an authentication code. Insert the YubiKey device in one of your computer’s USB ports, and either press the button(s) or touch the edge of the device.
On Windows you can use for example PuttyGen to generate your SSH Public-Private Key pair. Setting a passphrase is advisable as it offers another layer of security if your ssh keys will be compromised.
Popular algorithms for creating SSH Keys:
RSA: It depends on key size. It is recommend to have 3072 or even better 4096-bit length. The 1024-bit length is considered unsafe.
Ed25519: It’s the most recommended public-key algorithm available today but you have to check with the cloud provider, e.g. Vultr, Hetzner, AWS if is supporting this.
To generate the SSH keys on macOS or Linux, use the Terminal and the command below.
If your VPS doesn't support automatically the SSH authentification at the creation, you can add manually your SSH key to your server later on.
Then, on your server, edit the "sshd_config" file to disable the password authentification.
Restart the sshd service.
Login to your server using your ssh key.
Make sure to back-up this password and also be aware where you place it so that it won’t get stolen.
Very important: For holding passwords, keywords, etc. an encrypted hardware device and paper wallets are recommended. It is not recommended to hold passwords or keywords on a hot storage like your personal computer or notebook.
For Debian based systems like Ubuntu or Debian use the command below:
For Amazon Linux use the command below:
It is not recommended to use directly the root user on your VPS. Therefore create a new user:
Add the newly created <your-username> user to the sudo group:
You can switch to the new user with the following command:
Add the public key to your new created user
First add the PPA and install the library.
Let’s add pam settings for SSH.
Add the following line at the top to enable the module:
You can use the following link in order to get the API Client ID and the API Client Key: https://upgrade.yubico.com/getapikey/
To improve the security you should comment the following line out:
This way the YubiKey is required to authenticate without a possibility to fall back to providing the password.
Result:
Save the file and exit -> press Ctrl+X and then press “y”
Next step is to create a mapping file where you define which YubiKey device is assigned to which user of your VPS.
The mapping file contains users and YubiKey identifiers. The YubiKey identifiers are always the first 12 characters of the generated YubiKey token. In order to generate the YubiKey token you just tap your YubiKey. Then you select its first 12 characters. In case you have multiple YubiKeys you can also add multiple.
Add the mappings for each user:
Save the file and exit -> press Ctrl+X and then press “y”
Next step is to update sshd_config file to authenticate via public key and pam.
Following changes need to be made:
Enable challenge response authentication by changing it to “yes”
ChallengeResponseAuthentication yes
Add a new line that sets the Authentication Methods to require first the public key to be valid and then the YubiKey token for each user.
AuthenticationMethods publickey,keyboard-interactive:pam
UsePAM yes
Disable the password authentication by removing “#” in front of this line:
PasswordAuthentication and set the value from yes to no
Disable root authentication - if you have created a separate user for your application, deployments, etc. you can also disable the SSH root user access, which will add an extra layer of security to your VPS. Find the line PermitRootLogin, remove the comment sign “#” from the beginning of it and set the value to no
Change your SSH port from 22 to another one, for example 2225.
Don’t use any of the ports in this list: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers , as they are already being used.
Example sshd_config file - take it only as reference to see the security changes and don't copy it!
Save the file and exit -> press Ctrl+X and then press “y”
Finally restart the sshd service to update the settings.
Test the configuration It is recommended to keep the current session active. In case something went wrong, you will still have access to your VPS and be able to make changes.
Create a new ssh connection and check if the SSH login with certificate and YubiKey works. First the certificate will be used and then you will be prompted for YubiKey. Once this is the case just tap your YubiKey to enter your token and login.
Example:
9. Install fail2ban to reduce brute force attacks
Start and enable the service
It is recommended to use a separate jail.local file to actually read your own configuration. For that first you have to copy the basic configuration jail.conf to the local one jail.local. The new file jail.local will override the original settings in jail.conf.
Edit the file jail.local
This configuration will block an IP address that is being used to log into your VPS via SSH, port 22 and fails for 5 times.
Save and close the file -> press Ctrl+X and then press “y”
Restart fail2ban to activate the settings
10. Configure system firewall with IPtables More about it can be found here: https://www.tecmint.com/linux-iptables-firewall-rules-examples-commands/ 11. Monitor and manage your system and process by using htop
Install htop
Run htop
11. Deactivate VNC (Contabo)
Some cloud providers (such as Contabo) have the VNC option activated by default. It is recommended to disable it if you don't use it.