This text is just a "first draft" I created in 30 minutes. It doesn't explain how to apply the recommended configuration.
It's not considered a "complete" list. Please let me know if you think about something that should be added or if you think I mention something wrong.
Thanxs to Slasheks, Tharude, Isabella, cc001, Nerigal, ViperTKD for the constructive discussion about security in the last months.
Also to everybody I forgot to mention.
# Server Configuration
- Configure a firewall to block everything but what you choose to expose.
- Use blacklist to pre-ban known bad IPs.
- Use Intrusion Detection System. (and configure it properly)
- Use a system to auto-ban of IPs doing synflood, packets crafting, port scans, etc.
- Block root login and password login in your SSH server configuration.
- Use a firewall whitelist to choose witch IPs can contact port 22.
- Always use a sudoer user, not root.
- Make sure to do 'apt-get update' or 'yum update' daily to install pro-actively OS and applications security updates.
- Make sure to renew your SSL certificates before they expire.
# Lisk Configuration
- Use a trusted SSL certificate. (Not self-signed)
- Never access your nodes using HTTP on port 80 or 8000.
- Create a second passphrase on all your Lisk account(s).
- Never install a third party tools/scripts not reviewed by you or a trusted person.
- Never install a dapp until SDK sandbox is ready for usage.
- Choose wisely the source of snapshots you are using.
- Configure Lisk to only accept forging and api request for local host, management computer IP and backup computer IP.
# Bad practices examples I've seen a lot lately:
- Configuration of failover script using port 8000. (Unencrypted)
- No second passphrase.
- Open to public API on forging node.
- Entering your passphrase on an unknown public wallet.