User avatar
Gr33nDrag0n
Lisker
Posts: 123
Joined: Sat Mar 26, 2016 8:22 pm
Location: Quebec, Canada

Lisk Node Best Practice Cheat Sheet (Updated 2016-12-20)

Thu Dec 08, 2016 12:51 am

From my vast experience in IT, one thing I learned with the years is that knowledge transfert is a great way to improve security.

This text is just a "first draft" I created in 30 minutes. It doesn't explain how to apply the recommended configuration.
It's not considered a "complete" list. Please let me know if you think about something that should be added or if you think I mention something wrong.

Thanxs to Slasheks, Tharude, Isabella, cc001, Nerigal, ViperTKD for the constructive discussion about security in the last months.
Also to everybody I forgot to mention.

# Server Configuration

  • Configure a firewall to block everything but what you choose to expose.
  • Use blacklist to pre-ban known bad IPs.
  • Use Intrusion Detection System. (and configure it properly)
  • Use a system to auto-ban of IPs doing synflood, packets crafting, port scans, etc.
  • Block root login and password login in your SSH server configuration.
  • Use a firewall whitelist to choose witch IPs can contact port 22.
  • Always use a sudoer user, not root.
  • Make sure to do 'apt-get update' or 'yum update' daily to install pro-actively OS and applications security updates.
  • Make sure to renew your SSL certificates before they expire.

# Lisk Configuration

  • Use a trusted SSL certificate. (Not self-signed)
  • Never access your nodes using HTTP on port 80 or 8000.
  • Create a second passphrase on all your Lisk account(s).
  • Never install a third party tools/scripts not reviewed by you or a trusted person.
  • Never install a dapp until SDK sandbox is ready for usage.
  • Choose wisely the source of snapshots you are using.
  • Configure Lisk to only accept forging and api request for local host, management computer IP and backup computer IP.

# Bad practices examples I've seen a lot lately:

  • Configuration of failover script using port 8000. (Unencrypted)
  • No second passphrase.
  • Open to public API on forging node.
  • Entering your passphrase on an unknown public wallet.
Last edited by Gr33nDrag0n on Wed Dec 21, 2016 4:28 am, edited 1 time in total.
Gr33nDrag0n | 194109334904015388L | Delegate | lisknode.io

User avatar
cc001
Lisker
Posts: 103
Joined: Sat Mar 12, 2016 12:48 pm

Re: Lisk Node Best Practice Cheat Sheet (Updated 2016-12-07)

Thu Dec 08, 2016 5:57 am

very good list Gr33ndrag0n!
Maybe an additional point for "Bad practices": * Never enter your passphrase on an unknown public wallet.
My Delegate Node
My Websites:
My Scripts:
My Tutorials:
  • Secure basic setup of a delegate server
  • how to set up 'lisk-rake' (outdated)

User avatar
Gr33nDrag0n
Lisker
Posts: 123
Joined: Sat Mar 26, 2016 8:22 pm
Location: Quebec, Canada

Re: Lisk Node Best Practice Cheat Sheet (Updated 2016-12-07)

Wed Dec 21, 2016 4:28 am

cc001 wrote:very good list Gr33ndrag0n!
Maybe an additional point for "Bad practices": * Never enter your passphrase on an unknown public wallet.


Added, thanxs
Gr33nDrag0n | 194109334904015388L | Delegate | lisknode.io

Return to “Guides”

Who is online

Users browsing this forum: No registered users and 1 guest