How to securely preconfigure Cosmos node

The aim of the guide is to go through some of the best practices on how to secure you linux system. It also helps you to do initial configuration of the server installing go, node runner and few commonly used packages to run a validator node.

# Display public ssh key for MAC/Linux
$ cat ~/.ssh/id_rsa.pub

# Generate ssh key pair for MAC
$ ssh-keygen -t rsa

# Generate ssh key pair for Ubuntu
$ ssh-keygen

The root is the superuser account in Unix and Linux based systems. Once we have access to the root account, we have complete system access. Because the username is always root and the access rights are unlimited, this account is the most valuable target for hackers.

There are a lot of bots scanning the Internet for systems with exposed ssh ports. When they find one, they will attempt to login using common usernames and try to guess the password.

Imagine that a bot gets lucky and guesses the root password. Because root gives access to the whole machine, the machine should be considered lost at this time.

The impact would have been a lot less if the compromised user had unprivileged access. The breach would then be contained and limited to this user only.

Also it's just good practice on any operating system to run your applications on a user level and leave administrative tasks to the root user, and only on a per-need basis (even a small bug in an application could erase some system files).

Now that we know that it is bad to allow root logins over ssh, it’s time to take some measurements. Let’s go through some of the best practices.

# Create new admin user
$ sudo adduser admin

# Assign sudo permission to admin user
$ sudo usermod -aG sudo admin

# Upload ssh key for admin user, !!! replace YOUR_PUBLIC_SSH !!!
$ sudo mkdir /home/admin/.ssh/
$ sudo chmod 0700 /home/admin/.ssh/
$ sudo -- sh -c "echo 'YOUR_PUBLIC_SSH' > /home/admin/.ssh/authorized_keys"
$ sudo chown -R admin:admin /home/admin/.ssh/

# Inspect ssh service config
$ sudo nano /etc/ssh/sshd_config

# Disable root login
PermitRootLogin no

# Disable password authnetication
PasswordAuthentication no

# Allow access only for admin user
AllowUsers admin

# Restart ssh service
$ sudo systemctl restart sshd
$ exit

Let's verify that our new configuration works. You should no longer be able to login under root.

$ ssh root@you_server
root@yourserver: Permission denied (publickey).

You should successfully be able to login under admin.

$ ssh admin@your_server

Fail2Ban helps to protect server against unauthorized access attempts and brute-force attacks. It watches logs for authentication failures and creates firewall rules to block certain IP addresses. Hence it makes ssh brute force really hard and the server secure.

# Install fail2ban
$ sudo apt update
$ sudo apt install fail2ban -y

By default ssh service is enabled and it protects port number 22. You can change default configuration, but that's an OPTIONAL step. Below is a quick guide on how to change default configs.

# Go to config folder and create your own config file (jail.local)
$ cd /etc/fail2ban/
$ sudo cp jail.conf jail.local

# Inspect jail.local
$ sudo nano jail.local

# Here's the parameters, you might want to configure
bantime = 10m
findtime = 10m
maxretry = 5
destemail = root@localhost
sender = root@<fq-hostname>

# List all enabled jails
$ sudo fail2ban-client status

# Inspect jail details
$ sudo fail2ban-client status sshd

Firewall is a utility for network security that monitors and filters incoming and outgoing network traffic based on the security policies that we define. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet. Its main purpose is to allow non-threatening traffic in and to keep dangerous traffic out. UFW developed to ease iptables firewall configuration, it provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled. Let's configure and enable it.

# Install ufw
$ sudo apt update
$ sudo apt install ufw -y

# Make sure it's active
$ sudo systemctl status ufw

# Allow outgoing connections
$ sudo ufw default allow outgoing

# Deny incomming connections
$ sudo ufw default deny incoming

# Allow incoming ssh (22 port)
$ sudo ufw allow ssh

# Allow incoming node_exporter
$ sudo ufw allow 9100

# Allow incoming comsos p2p
$ sudo ufw allow 26656

# Enable firewall
$ sudo ufw enable

# List all firewall rules
$ sudo ufw status numbered

# If you want to delete a certain rule use 
$ sudo ufw delete RULE_NUMBER

# Update system packages
$ sudo apt update && sudo apt upgrade -y

# Install commonly used utilities
$ sudo apt install curl tar wget tmux htop net-tools clang pkg-config libssl-dev jq build-essential git make ncdu -y

# Install go
$ version="1.17.2" \
&& cd $HOME \
&& wget "https://golang.org/dl/go$version.linux-amd64.tar.gz" \
&& sudo rm -rf /usr/local/go \
&& sudo tar -C /usr/local -xzf "go$version.linux-amd64.tar.gz" \
&& rm "go$version.linux-amd64.tar.gz" \
&& echo "export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin" >> $HOME/.bash_profile \
&& source $HOME/.bash_profile

# Install node_exporter
$ sudo apt install prometheus-node-exporter -y

# Logs
$ sudo journalctl -u prometheus-node-exporter -f

Congrats. Your server is now securely configured to allow ssh connections for certain user via ssh keys. It exposes only few necessary ports keeping the rest closed and it has all commonly used packages preconfigured. Now you are completely safe to setup your validator node. Good luck!

Any help is very much appreciated.