# Build and Configure the Monitoring Webserver {% hint style="info" %} **Note:** These steps are identical to the Node Server configuration instructions with the exception of configuring Secure Shared Memory, Kernel Live Patching and 2FA. However you may consider these as necessary for your own requirements and wish to include them as well. {% endhint %} ### Connect to the server Using the key generated from the AWS console and using a SSH client like Putty, connect to your Ubuntu server. If you are logged in as root then create a user-level account with admin privileges instead, since logging in as the root user is risky. Create a new user. Replace `yourusername` with a username of your choice. You will asked to create a strong password and provide some other optional information. ``` $ sudo adduser ``` Grant admin rights to the new user by adding it to the sudo group. This will allow the user to perform actions with superuser privileges by typing sudo before commands. ``` $ sudo usermod -aG sudo ``` Optional: If you used SSH keys to connect to your Ubuntu instance via the root user you will need to associate the new user with the root user’s SSH key data. ``` $ sudo rsync --archive --chown=: ~/.ssh /home/ ``` Finally, log out of `root` and log in as `` ### Update the Server Make sure the system is up to date with the latest software and security updates. ``` $ sudo apt update && sudo apt upgrade $ sudo apt dist-upgrade && sudo apt autoremove $ sudo reboot ``` Enable automatic updates ``` $ sudo apt-get install unattended-upgrades $ sudo dpkg-reconfigure -plow unattended-upgrades ``` Optional: Change the server's hostname with the following command: ``` $ sudo hostnamectl set-hostname newNameHere ``` ## Secure the Server This guide will follow a list of settings in the [CoinCashew](https://www.coincashew.com/coins/overview-ada/guide-how-to-build-a-haskell-stakepool-node/how-to-harden-ubuntu-server) guide. This is not a comprehensive list and you should investigate other security steps specific to your own setup and situation. ### SSH Configuration Change the Default SSH port from a port between 1024-49151. First check that the port is free ``` eg. sudo ss -tulpn | grep ':6673' $ sudo ss -tulpn | grep ':' ``` A red text response indicates it's in use already. If it's free then change the port in the `sshd_config` file ``` $ sudo nano /etc/ssh/sshd_config ``` Find the line `#Port 22` remove the `#` and replace the number with the port number of your choice ``` Port ``` {% hint style="info" %} ***At this point you may want to configure your firewall to allow the new port number.*** See the **Firewall Configuration** section below. Also remember to update any AWS Security Groups if you have those configured. {% endhint %} Locate the line for **ChallengeResponseAuthentication** and set it to ‘no’ ``` ChallengeResponseAuthentication no ``` Locate the line for **PasswordAuthentication** and set it to ‘no’ ``` PasswordAuthentication no ``` Locate the line for **PermitRootLogin** and set it to ‘no’ ``` PermitRootLogin no ``` Locate the line for **PermitEmptyPasswords** and set it to ‘no’ ``` PermitEmptyPasswords no ``` Locate the line for **PubkeyAuthentication** and set it to ‘yes’. This will change the configuration to only accept public keys. ``` PubkeyAuthentication yes ``` Save and close the file, then test the SSH config. ``` $ sudo sshd -t ``` If there are no errors then restart the SSH process ``` $ sudo systemctl restart sshd ``` Log out and back in again using the new SSH port number. {% hint style="warning" %} **Optional Steps:** lockdown SSH to a specific user from a specific IP. Only perform this step if you are confident your IP won’t change. {% endhint %} Open the SSHD config file again ``` $ sudo nano /etc/ssh/sshd_config ``` and add the following line to the bottom of the file ``` AllowUsers @ ``` Save and close the file and restart SSHD ``` $ sudo systemctl restart sshd ``` ### Create a new ED25519 encryption key and replace the default AWS RSA 2048-bit key The default AWS SSH key is using **RSA SSH-2 2048-bit** encryption. It is recommended to create another key pair using **ED25519** encryption, follow the Putty user guide [here](https://docs.digitalocean.com/products/droplets/how-to/add-ssh-keys/create-with-putty/). Ensure you have set a strong password on your private key. Then once you’ve created the key copy the public key to the `~/.ssh/authorized_keys` file. Test the new key works by opening a new SSH session via Putty and using the custom port you set earlier. ![](/files/-MeGXlqYzr4kRNx9DO_N) Once confirmed either backup and delete or comment (**`#`**) out the previous RSA key’s line in the `authorized_keys` file. Read up about ED25519 [here](https://medium.com/risan/upgrade-your-ssh-key-to-ed25519-c6e8d60d3c54) Ensure the `authorized_keys` file has the correct permissions by running the following command ``` chmod -R go= ~/.ssh ``` Check the permissions are set correctly ![](/files/-MeGUol2cptvap7Rl-mc) ### Disable the root account Disable the ability to login with the `root`account using a password ``` $ sudo passwd -l root ``` ### Firewall Configuration ufw is a a common linux based firewall package which we will install Install the ufw package ``` $ sudo apt install ufw ``` Explicitly apply the defaults. Inbound traffic denied, outbound traffic allowed. ``` $ sudo ufw default deny incoming $ sudo ufw default allow outgoing ``` Allow inbound traffic on `` as set in the **SSH Configuration** section above. SSH requires the TCP protocol. ``` E.g. sudo ufw allow 6673/tcp $ sudo ufw allow /tcp ``` {% hint style="warning" %} **Optional:** You may also choose to lockdown access to your specific public IP. However be warned that if your public IP changes you may lose access. {% endhint %} ``` $ sudo ufw allow proto tcp from to any port ``` Deny inbound traffic on port 22/TCP. {% hint style="danger" %} **Only perform this step after confirming you have connected over SSH using \** {% endhint %} ``` $ sudo ufw deny 22/tcp ``` Enable the firewall and check to verify the rules have been correctly configured. ``` $ sudo ufw enable $ sudo ufw status numbered ``` ### Install Fail2Ban Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address. Install fail2ban ``` $ sudo apt-get install fail2ban -y ``` Edit the config file ``` sudo nano /etc/fail2ban/jail.local ``` and add the following to the bottom of the file `ignoreip = ` . Also amend the port number to your own SSH port. ``` [sshd] enabled = true port = <22 or your random port number> filter = sshd logpath = /var/log/auth.log maxretry = 3 # whitelisted IP addresses ignoreip = of whitelisted IP address, your local daily laptop/pc> ``` save and close the file. Restart fail2ban ``` $ sudo systemctl restart fail2ban ``` You may also want to complete the additional steps to Secure Shared Memory and install Kernal Live Patching as we did with the Node Server. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.radix-staking.com/build-the-webserver.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.