Sei Validators — Security 101 — Hardening server login

Blockscope
5 min readOct 13, 2022

--

We often talk about using a sentry nodes as a good barrier against DDoS attacks that a Cosmos Node might be facing.

Sei Network, DeFi disrupting blockchain

But, what about the non-cosmos related things that we have to secure in our nodes? Even if you are just taking part of a testnet, it is always a good idea to take care of your node in the testnet as if it were already a mainnet node. Thus, you can test out the things you will be willing to do to turn your Linux node into a safe one.

Everybody has to master Linux node operation since the security of the whole network is a team’s effort where everyone has to contribute.

Disabling Root Logins and Password Based Logins

First of all, it is very common to see that node renting services do not create a normal user, but a root one, giving then the permissions / password of that user. It is way safer to log in to your linux box with a normal user. To do so, create a normal user with this command:

adduser seiuser (it will ask for a password for that user)

Once that is done, we might want to add that user to the sudoers group of that box, which ensures that, if needed, we can just operate as if we were root:

usermod -aG sudo seiuser

Now we are going to disable SSH password authentication and use SSH keys only. Create a new SSH key pair on your local machine. Run this on your local machine from which you intend to connect to your Sei node. You will be asked to type a file name in which to save the key. This will be your keyname. Make a safe copy of this file!

ssh-keygen -t ed25519

Once that is done, push that keyname file to the Sei node with this:

ssh-copy-id -i $HOME/.ssh/keyname.pub seiuser@public-ip-address-of-your-Sei-node

Now try to login to your Sei node:

ssh seiuser@public-ip-address-of-your-Sei-node

Now, let’s disable root login and password-based logins, since we are moving to a keyname based login. Edit the /etc/ssh/sshd_config file:

sudo nano /etc/ssh/sshd_config

Now find this line and change it to no:

ChallengeResponseAuthentication no

And change this Password setting to no as well:

PasswordAuthentication no

Now let’s ban root user from login in the very same sshd_config file:

PermitRootLogin no

Last but not least:

PermitEmptyPasswords no

Now find the line where SSH Daemon port is specified. We will use one different from 22, the standard one:

Port port number

Any value between 1024 and 49000ish will do the trick

Now, verify that the settings are fine, without applying them:

sudo sshd -t

If no errors showed, not apply them:

sudo service sshd reload

Log out and check that everything went just fine:

ssh seiuser@public-ip-address-of-your-Sei-node -p <custom port number>

Preventing Login Brute Force Attacks

Another optional setting is installing fail2ban. Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.

To install it execute:

sudo apt-get install fail2ban -y

Now edit its settings:

sudo nano /etc/fail2ban/jail.local

And now add these settings:

[sshd]
enabled = true
port = <22 or your chosen non standard port number>
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
# whitelisted IP addresses
ignoreip = <list of whitelisted IP address, your external IP address from home>

Hardening Login with Google Authenticator’s 2FA

Google Authenticator, the most popular app for 2FA security

A two factor authentication (2FA) is a very reliable and popular mechanism to harden access security on any system. Depicting it simply, is relying in a second system (factor) to confirm the validity of the authentication. The most common mechanism is using your mobile phone, so if someone has to hack your server (in this case), they will have to steal your phone or “hack” your SIM card first, to be able to log into the server.

How to set it up? It is quite easy:

sudo apt install libpam-google-authenticator -y

To make SSH use the Google Authenticator PAM module, edit the /etc/pam.d/sshd file:

sudo nano /etc/pam.d/sshd

And add:

auth required pam_google_authenticator.so

Now you need to restart the sshd daemon using:

sudo systemctl restart sshd.service

Modify /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

Locate ChallengeResponseAuthentication and update to yes

ChallengeResponseAuthentication yes

Locate UsePAM and update to yes

UsePAM yes

Then save the file and exit

Now run google authenticator with:

google-authenticator

It will ask for some questions:

Make tokens “time-base””: yes
Update the .google_authenticator file: yes
Disallow multiple uses: yes
Increase the original generation time limit: no
Enable rate-limiting: yes

Notice the giant QR code that appeared during the process, underneath are your emergency scratch codes to be used if you don’t have access to your phone or if you lose it: write them down on paper and keep them in a safe place.

Now, open Google Authenticator on your phone and add your secret key to make two factor authentication work.

What’s Next?

Sei is a DeFi disruptive L1 blockchain

In the following Sei 101 Security article, we may take a dive into securing your validator keys with HSM/KSM.

In the meantime, if you don’t know what Sei Network is, go to their website a check the great goals they’re trying to achieve in the DeFi world, with their blazing fast L1 Cosmos based blockchain.

Take care folks!

--

--

Blockscope

We're a company of Blockchain passionate individuals that aim to help decentralize the world while having fun with technology.