Pre-configure the Node Server

The steps to prepare and secure your validating node server prior to installing the Radix Node Software.

Connect to the server

Using the key generated from the AWS console and using a SSH client like Putty, connect to your Ubuntu server. If you are logged in as root then create a user-level account with admin privileges instead, since logging in as the root user is risky.
Create a new user. Replace yourusername with a username of your choice. You will asked to create a strong password and provide some other optional information.
sudo adduser <yourusername>
Grant admin rights to the new user by adding it to the sudo group. This will allow the user to perform actions with superuser privileges by typing sudo before commands.
sudo usermod -aG sudo <yourusername>
Optional: If you used SSH keys to connect to your Ubuntu instance via the root user you will need to associate the new user with the root user’s SSH key data.
sudo rsync --archive --chown=<yourusername>:<yourusername> ~/.ssh /home/<yourusername>
Finally, log out of root and log in as <yourusername>

Update the Server

Make sure the system is up to date with the latest software and security updates.
sudo apt update && sudo apt upgrade
sudo apt dist-upgrade && sudo apt autoremove
sudo reboot
Enable automatic updates
sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
Optional: Change the server's hostname with the following command:
sudo hostnamectl set-hostname <newNameHere>

Secure the Server

This guide will follow a list of settings in the CoinCashew guide. This is not a comprehensive list and you should investigate other security steps specific to your own setup and situation.

SSH Configuration

The following section will edit the contents of your sshd_config file, it is recommended to make a backup of this file before proceeding and to understand more about each of the settings you will edit you can view the sshd help file by typing:
man sshd_config
Change the SSH Port in the sshd_config file
sudo nano /etc/ssh/sshd_config
Find the line #Port 22 remove the # and replace the number with the port number of your choice
Port <YourSSHPortNumber>
At this point you may want to configure your firewall to allow the new port number. See the Firewall Configuration section below. Also remember to update any AWS Security Groups if you have those configured.
Locate the line for ChallengeResponseAuthentication and set it to ‘no’
ChallengeResponseAuthentication no
Locate the line for PasswordAuthentication and set it to ‘no’
PasswordAuthentication no
Locate the line for PermitRootLogin and set it to ‘no’
PermitRootLogin no
Locate the line for PermitEmptyPasswords and set it to ‘no’
PermitEmptyPasswords no
Locate the line for PubkeyAuthentication and set it to ‘yes’. This will change the configuration to only accept public keys.
PubkeyAuthentication yes
Change ClientAliveInterval to 300 and ClientAliveCountMax to 0
ClientAliveInterval 300
ClientAliveCountMax 0
Save and close the file, then test the SSH config.
sudo sshd -t
If there are no errors then restart the SSH process
sudo systemctl restart sshd
Open another Putty terminal and test connecting on the new SSH port before closing the existing terminal.

Restricting access to specific users or IPs

Optional Steps: lockdown SSH to a specific user and/or from a specific IP. Only perform these step if you are confident your IP won’t change.
Open the SSHD config file again
sudo nano /etc/ssh/sshd_config
to restrict just to a specific user add the following to the bottom of the file
AllowUsers <SSH_User1> <SSH_User2>
alternatively to restrict to a specific IP add the following line to the bottom of the file
AllowUsers <SSH_User>@<Public_IP>
Save and close the file and restart SSHD
sudo systemctl restart sshd

Restrict Access Using IP Tables

Alternatively, you can use IP tables to restrict access to the SSH port from a single IP or network. As root enter the follow at the command line
sudo iptables -A INPUT -p tcp --dport <YOUR_SSH_PORT> -s <Your_Public_IP> -j ACCEPT
sudo iptables -A INPUT -p tcp --dport <YOUR_SSH_PORT> -j DROP

Create a new ED25519 encryption key and replace the default AWS RSA 2048-bit key

The default AWS SSH key is using RSA SSH-2 2048-bit encryption. It is recommended to create another key pair using ED25519 encryption, follow the Putty user guide here. Ensure you have set a strong password on your private key. Read up about ED25519 here.
Then once you’ve created the key copy the public key to the ~/.ssh/authorized_keys file.
sudo nano ~/.ssh/authorized_keys
save and close the file.
Test the new key works by opening a new SSH session via Putty and using the custom port you set earlier.
Once confirmed either backup and delete or comment (#) out the previous RSA key’s line in the authorized_keys file.
Ensure the authorized_keys file has the correct permissions by running the following command
chmod -R go= ~/.ssh
Check the permissions are set correctly
cd ~/.ssh
ls -l

Disable the root account

Disable the ability to login with the rootaccount using a password
sudo passwd -l root

Firewall Configuration

ufw is a a common linux based firewall package which we will install
Install the ufw package
sudo apt install ufw
Explicitly apply the defaults. Inbound traffic denied, outbound traffic allowed.
sudo ufw default deny incoming
sudo ufw default allow outgoing
Allow inbound traffic on <YourSSHPortNumber> as set in the SSH Configuration section above. SSH requires the TCP protocol.
sudo ufw allow <yourSSHportnumber>/tcp
Optional: You may also choose to lockdown access to your specific public IP. However be warned that if your public IP changes you may lose access.
sudo ufw allow proto tcp from <YourPublicIP> to any port <YourSSHPortNumber>
Deny inbound traffic on port 22/TCP.
Only perform this step after confirming you have connected over SSH using <YourSSHPortNumber>
sudo ufw deny 22/tcp
Enable the firewall and check to verify the rules have been correctly configured.
sudo ufw enable
sudo ufw status numbered

Two-factor authentication (optional but encouraged)

Two-factor authentication gives you an extra layer of security in the event your SSH key was compromised. Although we are installing the Google Authenticator package you can also use an alternative 2fA app like Authy.

Warning!! Ensure you complete all these steps without closing the Putty terminal. If you close the Putty terminal before you complete all the steps you may not be able to log back in again.

Install the Google Authenticator package
sudo apt install libpam-google-authenticator -y
Run google-authenticator
google-authenticator
enter ‘y’ to the first prompt
Do you want authentication tokens to be time-based (y/n): y
A QR Code will appear with a Secret Key, a number of scratch codes and a prompt for further options. Open your Google Authenticator or Authy app and enter in your secret key. Copy down your emergency scratch codes for safe-keeping.
The recommended settings for the subsequent prompts are:
Update the .google_authenticator file: yes
Disallow multiple uses: yes
Increase the original generation time limit: no
Enable rate-limiting: yes
Make a backup of the sshd configuration file
sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
Edit the /etc/pam.d/sshd file to make SSH use Google Auhthenticator
sudo nano /etc/pam.d/sshd
and add the following lines
@include common-password
auth required pam_google_authenticator.so nullok
auth required pam_permit.so
save and close the file.
Edit the SSH configuration file
sudo nano /etc/ssh/sshd_config
locate the ChallengeResponseAuthentication line and update to ‘yes’
KbdInteractiveAuthentication yes
locate the UsePAM line and update to ‘yes’
UsePAM yes
Save and close the file then restart the SSHD service
sudo systemctl restart sshd.service
2FA is not fully configured yet but open another Putty window to confirm all is working okay. You should not be prompted for any two-factor authentication yet. DO NOT close your existing terminal.
Make SSH aware of 2FA by opening the SSH configuration file
sudo nano /etc/ssh/sshd_config
and add the following line to the bottom of the file
AuthenticationMethods publickey,password publickey,keyboard-interactive
save and close the file.
Open the PAM sshd configuration file
sudo nano /etc/pam.d/sshd
and comment out the following line by adding a # character at the start
#@include common-auth
Save and close the file the restart SSH.
sudo systemctl restart sshd.service
Now open another Putty terminal session and you should be asked to enter the two-factor code.

Kernel Live Patching

The Livepatch Service intends to address high and critical severity Linux kernel security vulnerabilities, as identified by Ubuntu Security Notices and the CVE tracker. Since there are limitations to the kernel livepatch technology, some Linux kernel code paths cannot be safely patched while running. There may be occasions when the traditional kernel upgrade and reboot might still be necessary.
You will need to create an account at https://login.ubuntu.com/. The free tier allows installation on up to three machines. You will be given a subscription token which can be found here https://ubuntu.com/advantage
Attach the token to your server
sudo ua attach <YOUR_TOKEN>
sudo ua status

Secure Shared Memory

Shared memory can be used in an attack against a running service. Because of this, secure that portion of system memory. You can do this by modifying the /etc/fstab file.
Edit the fstab file
sudo nano /etc/fstab
Add the following line
tmpfs /run/shm tmpfs ro,noexec,nosuid 0 0
Save and close the file, then reboot.
sudo reboot

Install Fail2Ban

Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.
Install fail2ban
sudo apt-get install fail2ban -y
Edit the config file
sudo nano /etc/fail2ban/jail.local
and add the following to the file ignoreip = <list of whitelisted IP address, your local daily laptop/pc> . Also amend the port number to your own SSH port.
[sshd]
enabled = true
port = <22 or your random port number>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
# whitelisted IP addresses
ignoreip = <list of whitelisted IP address, your local daily laptop/pc>
save and close the file.
Restart fail2ban
sudo systemctl restart fail2ban
That concludes the first step in preparing your Node Server. Head to the next page to install Node Exporter.

Sources: