Sei Validators — Security 101 — Hardening server login
We often talk about using a sentry nodes as a good barrier against DDoS attacks that a Cosmos Node might be facing.
But, what about the non-cosmos related things that we have to secure in our nodes? Even if you are just taking part of a testnet, it is always a good idea to take care of your node in the testnet as if it were already a mainnet node. Thus, you can test out the things you will be willing to do to turn your Linux node into a safe one.
Everybody has to master Linux node operation since the security of the whole network is a team’s effort where everyone has to contribute.
Disabling Root Logins and Password Based Logins
First of all, it is very common to see that node renting services do not create a normal user, but a root one, giving then the permissions / password of that user. It is way safer to log in to your linux box with a normal user. To do so, create a normal user with this command:
adduser seiuser (it will ask for a password for that user)
Once that is done, we might want to add that user to the sudoers group of that box, which ensures that, if needed, we can just operate as if we were root:
usermod -aG sudo seiuser
Now we are going to disable SSH password authentication and use SSH keys only. Create a new SSH key pair on your local machine. Run this on your local machine from which you intend to connect to your Sei node. You will be asked to type a file name in which to save the key. This will be your keyname. Make a safe copy of this file!
ssh-keygen -t ed25519
Once that is done, push that keyname file to the Sei node with this:
ssh-copy-id -i $HOME/.ssh/keyname.pub seiuser@public-ip-address-of-your-Sei-node
Now try to login to your Sei node:
ssh seiuser@public-ip-address-of-your-Sei-node
Now, let’s disable root login and password-based logins, since we are moving to a keyname based login. Edit the /etc/ssh/sshd_config file:
sudo nano /etc/ssh/sshd_config
Now find this line and change it to no:
ChallengeResponseAuthentication no
And change this Password setting to no as well:
PasswordAuthentication no
Now let’s ban root user from login in the very same sshd_config file:
PermitRootLogin no
Last but not least:
PermitEmptyPasswords no
Now find the line where SSH Daemon port is specified. We will use one different from 22, the standard one:
Port port number
Any value between 1024 and 49000ish will do the trick
Now, verify that the settings are fine, without applying them:
sudo sshd -t
If no errors showed, not apply them:
sudo service sshd reload
Log out and check that everything went just fine:
ssh seiuser@public-ip-address-of-your-Sei-node -p <custom port number>
Preventing Login Brute Force Attacks
Another optional setting is installing fail2ban. Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.
To install it execute:
sudo apt-get install fail2ban -y
Now edit its settings:
sudo nano /etc/fail2ban/jail.local
And now add these settings:
[sshd]
enabled = true
port = <22 or your chosen non standard port number>
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
# whitelisted IP addresses
ignoreip = <list of whitelisted IP address, your external IP address from home>
Hardening Login with Google Authenticator’s 2FA
A two factor authentication (2FA) is a very reliable and popular mechanism to harden access security on any system. Depicting it simply, is relying in a second system (factor) to confirm the validity of the authentication. The most common mechanism is using your mobile phone, so if someone has to hack your server (in this case), they will have to steal your phone or “hack” your SIM card first, to be able to log into the server.
How to set it up? It is quite easy:
sudo apt install libpam-google-authenticator -y
To make SSH use the Google Authenticator PAM module, edit the /etc/pam.d/sshd file:
sudo nano /etc/pam.d/sshd
And add:
auth required pam_google_authenticator.so
Now you need to restart the sshd daemon using:
sudo systemctl restart sshd.service
Modify /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config
Locate ChallengeResponseAuthentication and update to yes
ChallengeResponseAuthentication yes
Locate UsePAM and update to yes
UsePAM yes
Then save the file and exit
Now run google authenticator with:
google-authenticator
It will ask for some questions:
Make tokens “time-base””: yes
Update the.google_authenticatorfile: yes
Disallow multiple uses: yes
Increase the original generation time limit: no
Enable rate-limiting: yes
Notice the giant QR code that appeared during the process, underneath are your emergency scratch codes to be used if you don’t have access to your phone or if you lose it: write them down on paper and keep them in a safe place.
Now, open Google Authenticator on your phone and add your secret key to make two factor authentication work.
What’s Next?
In the following Sei 101 Security article, we may take a dive into securing your validator keys with HSM/KSM.
In the meantime, if you don’t know what Sei Network is, go to their website a check the great goals they’re trying to achieve in the DeFi world, with their blazing fast L1 Cosmos based blockchain.
Take care folks!
