Enhance Your Node Security

Durianpool · August 4, 2021, 3:53am

Have you ever experience bandwidth usage spike alert? monthly bandwidth usage exceeded?
On of the reason is maybe your node is under DDOS or hacker attack.
You can check login attempts by command: journalctl -u ssh. If you see a long list, then you may want to consider to increase your node security.

Although there is basically nothing to be stole from your node, it is always a good practice to make your node more secure. This will save your monthly bandwidth as well so you do not need to pay more for your VPS.

I would like to share my practices in making my nodes more secure. This may sound over-protected, but, why not.

Login with SSH key only

Prohibit root login with password

sed --in-place 's/#PermitRootLogin.*/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config

Change default SSH Port to other numbers (default = 22)

sshport="<your new sshport>"
sed --in-place "s/#Port 22.*/Port "$sshport"/g" /etc/ssh/sshd_config

Activate Firewall
This action is included if you use installation tool ALLinONE-nknode from no112358
However you need to change firewall to allow your new SSH port and disable the default one.
```
ufw allow "$sshport"
ufw delete allow 22
ufw reload
```

Install Fail2ban

#Install fail2ban
apt-get update && apt-get upgrade
apt install fail2ban -y

Install unattended-upgrades (auto-upgrade) for security packages. I choose weekly because I dont want to interrupt mining too often.

#Install unattended-upgrades
apt install unattended-upgrades

#Change upgrade schedule to weekly
cat > /etc/apt/apt.conf.d/20auto-upgrades <<EOF
APT::Periodic::Update-Package-Lists "7";
APT::Periodic::Unattended-Upgrade "7";
APT::Periodic::Download-Upgradeable-Package "7";
APT::Periodic::AutocleanInterval "7";
EOF

#Test
unattended-upgrades --dry-run --debug

If you want to try these out, please make sure you don’t lock yourself out!!
Always try to login before you close your working terminal after you change the setting.

Please share with me if you have suggestion to increase security.
Here is my NKN-commercial installation script if you want to have a look.

Good luck and Happy Mining.

TheAL · August 6, 2021, 1:31pm

Hello @Durianpool !

thank for your explanations, security is an important topic and your advises are common sense!
I just have a question … I saw that your script is based on @no112358’s one … Wouldn’t you rather propose a commit on this one so it’s more convenient for new miners when it comes to easy install?

Also, if you agree, I would love to see your security tutorial in the wiki, linux install section!

Best

no112358 · August 6, 2021, 2:15pm

I’ll check stuff out and try to incorporate them into my script. thanks for this

no112358 · August 7, 2021, 9:00pm

holy shit it took me waaay to long to set up SSH keys and figure out how to connect to the server after the deployment. Now I know how to lol

This script works great!