If you’re running your nodes or planning to run on mainnet nodes, keep in mind that the worst scenario is that someone steal your keys. Because if they run a node with your keys, and the network detect 2 signs with the same key, your funds can be wiped out, as it is one of the major penalties.
The focus on this short guide is on protecting your keys (pem files) on Linux Server Nodes.
I don’t enter deep on howto make every rule, you can ‘google’ them or ask me on Elrond Validators Telegram. When you apply every change in the system, be careful don’t deny access to yourself on it, you can always keep other opened ssh session as a backup access.
I will approach to the problem in two different environment risk, the server side and the client side (the machine from which you are connecting to the server).
Server Side Risks
What we need here is to ensure that is really difficult to someone access to the server itself. I follow some rules:
No root policy
Always create a secondary user, you can name it “elrond” and add it to sudo group. Deny access to root on ssh. Do it carefully and always with other opened ssh session just in case.
Allow only ssh access to the server. I disable all the other remote access services like VNC. Usually if you rent an VPS or bare metal server you have a control panel on the website of the provider, and can disable VNC access or similar from there.
Change ssh port and enable firewall
Don’t use the default port 22, you can change it easily following this guide.
Always setup ufw to deny all incoming, and allow only the port ssh that you customize
Create a rsa key from you client machine, and install it on the server. It is more secure way to access to your server than password logins (default). If you don’t do it never, be patient and try & fail until you have it. Keep in mind that the certificate is created from the client side, and you install to the server only the public key of the certificate. Create a certificate from mac or linux clients is very easy, from windows and putty can be more tricky but it’s important security rule. Always create the certificates with passphrase.
Without Balances PEM
Usually keygenerator will create a pair of .pem files, one is your node private key and the other a wallet where you will receive the rewards (initialBalancesSk.pem). You must keep node pem files in the server and don’t need to keep there the Balances one, these can be on your client side or encrypted usb backup.
Client Side Risks
Maybe it’s the most important part, as usually is more easy to access to your windows machine than to your linux server.
Exclusive access machine
If we connect to our server from our daily windows machine, the risk is high as we can have spyware, keystroke sniffers and so on. The most obvious solution is to have some “old laptop”, erase it and install clean system on it (I prefer linux desktop). Don’t use it never for websurfing, only for ssh connections to your servers. If you haven’t other “old laptop” you still can use virtual machine or dual boot solutions.
VPN and wifi risk
Try to access to your servers always by an VPN service like NordVPN, specially to avoid the risk that you have your WiFi router hacked. This is a problem to avoid, because usually is not that difficult to listen wifi traffic.
Encrypted PEM Backups
As you know you need backups of your node keys, be careful where and how you keep them. If you prefer to have them in a folder on your client machine, keep them always as a .zip or .tar.gz encrypted file, with strong password and aes256 encription. You can do it from your server side, before you download it to your machine.
Other solution is create usb encrypted unit and put them on it. If you use windows, mac or linux client O.S. you can search for solutions on do it.
I only keep unencrypted pem files on the server side.
If you have more security tips to add, please contribute here with a comment.
See you on Elrond Validators Telegram