Harden Your Staking VPS
My masternode research started with reading a post regarding bitradio (bitradio.io). This is listening to web radio at the same time getting paid. At the start, that sounds ludicrous. But then, I tried it and true enough I was earning BRO coins. Not much, but earning I was.
So I decided to look deeper into owning my own bitradio masternode. And in so doing, I knew about Nyerium (NYEX), and in the process I shared the following posts since I built my own NYEX masternode, and I believe the platform, and the blockchain will solve a problem.
- Staking Alt Coins for Passive Income
- AutoStart Staker Daemon on Boot
- Setup An Alt Coin Masternode for Passive Income
- Staking with Multiple Masternodes
- Masternode Proof-of-Stake Push Notifications
Security Awareness
To earn more NYEX, I leave my wallet staking. Meaning, the wallet is online 24x7 to aid in the decentralized nature of the blockchain. At the same time, staking exposes the wallet to earn rewards.
But leaving the wallet running 24x7 exposes it to security threats. The VPS is vulnerable to hacking and brute-force login attempts. That is a problem in itself. Second to that, the VPS has limited bandwidth allocation (a paid service) and repeated attempts to login to the system consumes bandwidth.
You could deter these threats with some tweaks so that the majority of these issues get warded off.
Harden VPS Security
The tools necessary to ward off attacks are inherent to Linux. It's just a matter of turning them on (or installing them).
Fail2Ban
Written in Python, Fail2Ban will reduce the rate of brute-force attempts by monitoring login failures. It works in tandem with the built in Linux firewall to ban IP addresses from logging into the system.
Fail2Ban has its SSH filter enabled by default and it works without having to do any further configuration. It works in tandem with iptables. To install, execute the following commands.
$ sudo apt-get -y install netfilter netfilter-persistent
$ sudo apt-get -y install fail2ban
To check if the service is online, use the fail2ban-client.
$ fail2ban-client status
.. or..
$ fail2ban-client status sshd
Reconfigure SSH
Initially, I thought having installed fail2ban and checking that it works, I was set. Not really.
Attempts are still being made and although the fail2ban filter worked, the threat was still occurring on a regular basis -- you will notice banned IP addresses.
So I decided to harden the VPS further. By moving the default SSH port from 22 to another port. Modify the file /etc/ssh/sshd_config and change the line Port 22 to another unused port number (e.g. Port 822). To ensure that this port is unused, use the command lsof -i tcp:822.
The result? No more banned IP addresses the last time I checked. It doesn't necessarily mean the threat is over, but most of them are no longer targetting my VPS.
The tweak above requires a restart of SSHD.
$ sudo systemctl restart sshd
WARNING! Prior to restarting the service, make sure that you have another SSH connection open to revert the change (or connect from the console). Otherwise, you will inadvertently lock yourself out of your own VPS!
Passwordless SSH
To further harden the VPS security, change the default behavior of SSH from interactive logins to key based authentication. This requires advanced knowledge of Linux.
Generate SSH Keys
First, generate SSH keys.
$ ssh-keygen -t rsa
Insert the generated id_rsa.pub file into authorized_keys inside the directory $HOME/.ssh.
$ cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys
Download SSH Private Key
Now download the private key $HOME/.ssh/id_rsa to your jumphost to complete password-less key-based authentication.
Reconfigure SSH
Like the changing of default port, SSH needs to be reconfigured for non-interactive logins. Change the following lines or uncomment them and change the default value to:
PasswordAuthentication no
UsePAM no
Likewise, restart SSHD.
$ sudo systemctl restart sshd
The above tweaks are not the only ones you could deploy on the VPS. This is a starting point to deter most of the threats to your VPS. As you notice from the screenshot provided, the attacks still occur, indicated by the increasing number of failures. But the VPS is now better equipped to deal with it than before.
If you need a VPS, I have had good experience with vultr.com (this is my affiliate link).
DISCLAIMER: I'm not affiliated with vultr.com. I simply use their service(s).
If you like this post, you know what to do.
Support:
- Bitcoin (BTC) - 3Kyjg1Wj1PNGN3KhiRprxYvvQpdjC5kT3k
- Etherium (ETH) - 0x5F168F895C63ccC5FbEf921047bc2b63f6780c3F
- SmartCash - SbgqBUuGBVaaFERmc5zPn8XStxXe7vE1SL
@djimirji up!
💡 @dillagr get upvote on 85% (VotingPower 8642.92).
Rules for calling bot:
Congratulations! This post has been upvoted from the communal account, @minnowsupport, by dillagr from the Minnow Support Project. It's a witness project run by aggroed, ausbitbank, teamsteem, theprophet0, someguy123, neoxian, followbtcnews, and netuoso. The goal is to help Steemit grow by supporting Minnows. Please find us at the Peace, Abundance, and Liberty Network (PALnet) Discord Channel. It's a completely public and open space to all members of the Steemit community who voluntarily choose to be there.
If you would like to delegate to the Minnow Support Project you can do so by clicking on the following links: 50SP, 100SP, 250SP, 500SP, 1000SP, 5000SP.
Be sure to leave at least 50SP undelegated on your account.
This post has received a 3.13 % upvote from @drotto thanks to: @dillagr.
How Cool!
You got a 3.23% upvote from @coolbot courtesy of @dillagr!
Help us grow, delegate today!
Sound advice for hardening a server, I have been through all this myself but it's worth having for future reference.
#thealliance #witness