User avatar
cc001
Lisker
Posts: 102
Joined: Sat Mar 12, 2016 12:48 pm

Secure basic setup of a delegate server

Wed Apr 20, 2016 3:48 pm

Introduction

Update 2016-05-04: Adapted for Lisk 0.2.1
Update 2016-08-09: Adapted for Lisk 0.3.2
Update 2016-11-17: Adapted for Lisk 0.4.1 / 0.5.0c (testnet)
Update 2016-11-17: Added hints from wannabe_RoteBaron and guide from densmirnov (thx to them)
Update 2016-12-06: Still valid for Lisk 0.5.0
Update 2017-03-06: Updated link to installLisk.sh, Still valid for Lisk 0.6.0 and 0.7.0 (testnet)

This is a tutorial on how to set up a new server as a delegate node. It contains only the very basic steps that should be performed on the new server to keep it secure and stable.
I base this tutorial on Ubuntu 14.04. Other distributions can differ a little bit.
This tutorial is written for the TESTNET, which runs on port 7000. If you want to follow it for the MAINNET, replace every port 7000 you find, with 8000.
I'm using linux to connect to the server, but you can use Putty on Windows as well.

I suggest everybody to contribute to this tutorial, let me know if I missed something or if something could be done differently. But keep in mind, it should be as easy as possible and not need too much time and knowledge.
And please vote for me on the mainnet :)

How to read/use this tutorial:
  • everything that is between < and > should be replaced by your own value. I added examples where needed.
  • execute the commands all in the given order
  • you can use 'vim' instead of 'nano', but I don't recommend it for beginners ;)

Basic System Setup
### connect to your new host as the user root, use the password provided by your hoster:
ssh root@<server-ip>
example: ssh root@123.123.123.123

### change the root password (you need to type it twice)
passwd

### exit and login again with your new password to verify it
exit
ssh root@<server-ip>
example: ssh root@123.123.123.123

### update all installed software on your node
apt-get update
apt-get dist-upgrade

# you should do this 'update' and 'dist-upgrade' every few days (or every day) to be sure to install newest security updates. I will maybe add an example how you can automate this.

# If you get some error messages about 'LC_ALL' and 'locale' that can not be set, do the following:
# show your set locales:
locale

# show your installed locales:
locale -a

#for every locale that is set (in first command) but not installed (not in the output of the second command), do the following:
locale-gen "<missing-locale>"
example: locale-gen "de_CH.UTF-8"

### reboot your server (just in case the kernel has been updated) and connect again as root.
reboot
ssh root@<server-ip>

### install ntp to have an accurate time, that's important for Lisk
apt-get install ntp
service ntp stop
ntpdate pool.ntp.org
service ntp start

### install additional software that is needed or useful
apt-get install unzip htop vim git tar nano

Add a new regular user
### add a new regular user. This is important because 'root' should not be used to do regular stuff, and software like Lisk should not be run as root, but as regular user. If you need special rights (for example to install something, you can use 'sudo', see later)


adduser <your-new-username>
example: adduser cc001
# enter twice a new password and press 6 times ENTER to accept all default/empty values:

### add the new user to the sudo group, to be able to execute commands that need admin/root rights:
usermod -a -G sudo <your-new-username>
example: usermod -a -G sudo cc001

### disconnect and reconnect as the new user, not as root (use the password you entered when you generated the new regular user
exit
ssh <username>@<server-ip>
example: ssh cc001@123.123.123.123

Tighten SSH
### tighten your ssh config by changing the default ssh port and disallowing direct root login
#I know, often time it is recommended to disallow logins with password and allow only public-key logins. But I think it is too much for this guide. And personally I don't like it too much, because you won't be able anymore to login from any computer/smartphone you want to. But it's true, it is even more secure.

sudo nano /etc/ssh/sshd_config

# go to the line with
'Port 22' and change it to a portnumber between 49152 and 65535
example: 'Port 54321'
I'll refere to this number in the following lines with <new_ssh_port>

# go to the line with
'PermitRootLogin yes' and change it to 'PermitRootLogin no'

# press Ctrl+X, then Y and then ENTER to save the modification
# restart the ssh service
sudo service ssh restart

### reconnect to verify that the connection is still working. You need to add the new port now to the command.
exit
ssh -p <new_ssh_port> <username>@<server-ip>
example: ssh -p 54321 cc001@123.123.123.123

Enable Swap (if not done yet)
### you should enable swap on your node, if not done already (at least if you are low on ram and on SSD drives. HDD swap might be too slow. There are a lot of different opinions about swap, how bit it should be, if it is needed at all, etc... I would say, you definitely should enable it if you are low on RAM. If you have much RAM I guess you can go with no swap. On the other side, if you have enough disk space you can simply activate it, just in case, but most likely your system never will use it.
follow this guide for a complete walk-through:
https://www.digitalocean.com/community/ ... untu-14-04

# here I give just the short version:
# verify with one of the following commands if swap is enabled already or not:
sudo swapon -s
free -m

# if swap is not enabled, do the following. Replace <size> with your own value. It depends on the server and RAM you have. Here is a recommendation from RedHat:
https://access.redhat.com/documentation ... #id4394007

sudo fallocate -l <size> /swapfile
# example: sudo fallocate -l 8G /swapfile (for a 8GB swapfile)
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile

# edit /etc/fstab
sudo nano /etc/fstab

# and add the following line to the end:
/swapfile none swap sw 0 0

# save and exit with Ctrl+x, y, ENTER

fail2ban
### install fail2ban to prevent bruteforce attacks
sudo apt-get install fail2ban

# now edit the fail2ban config to your modified ssh port
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

# replace every line that looks like this:
port = ssh
#with your new ssh port:
port = <new_ssh_port>

it should look then similar to this:

example:
[ssh]
enabled = true
port = 54321
filter = sshd
logpath = /var/log/auth.log
maxretry = 6


#save and exit with Ctrl+x, y, ENTER
# restart fail2ban
sudo service fail2ban restart

Firewall
### install and enable firewall
# check also this tutorial for more details: https://www.digitalocean.com/community/ ... untu-14-04
# check the status with
sudo ufw status

# set it up
sudo ufw disable
sudo ufw default deny incoming
sudo ufw allow <new_ssh_port> # example: sudo ufw allow 54321
sudo ufw allow 443
sudo ufw allow 7000
sudo ufw allow 8000 # you can use only port 7000 for TESTNET, but remember to activate port 8000 when you switch to MAINNET
sudo ufw enable

# check the status again
sudo ufw status

#also use the following command to verify that the firewall is activated
sudo iptables -S
#you should see some lines with the ports you added

Additional security measurements (I won't explain them in detail here)
Tips from wannabe_RoteBaron:
# you can disable the login for root in /etc/shadow
# allow only ssh connections based on the certificate (no login by password)

Lisk
### install lisk
cd ~ # goes to your home directory
wget https://downloads.lisk.io/lisk/main/installLisk.sh # downloads the installation script
(use wget https://downloads.lisk.io/lisk/test/installLisk.sh for testnet)
bash installLisk.sh install # starts the installation
Confirm with enter your home directory as installation location and enter 'test' or 'main', depending on which version you want to install.

cd lisk-test # go into your newly installed lisk directory
bash lisk.sh status # to verify it is running.
bash lisk.sh logs # to verify it is running. stop showing logs with Ctrl+c

### connect to your node
# enter this url in the browser:
http://<your-server-ip>:7000
example: http://123.123.123.123:7000

SSL for Lisk
### enable ssl for your node
# follow the excellent tutorial of Gr33nDrag0n: http://forum.lisk.io/viewtopic.php?f=38&t=184

### connect to your node with ssl
# enter this url in the browser:
https://<your-server-ip>
example: https://123.123.123.123

Configuring LISK
### You should maybe tighten up your Lisk config as well. There are several parameters in it you can play with. I won't describe them in detail here.
there is for example the option
"api": { "access": { "whiteList": [ ] } },
where you can define ips of hosts that may use your API. You should limit it to yourself.
the part "forging": {} has also a whitelist, where you can add your management nodes to allow enabling and disabling forging with a script.
And of course the "ssl" part, see Gr33nDrag0n's tutorial

Let me know if you encountered some problems or if you have suggestions to improve the tutorial.
Thanks to MrV, tharude, and Gr33nDrag0n for their comments.
And vote for me on mainnet! :D Thanks

Becoming Lisk Delegate and Forging activation
densmirnov wrote a beautiful guide how to do that here, thanks for that:
https://forum.lisk.io/viewtopic.php?f=38&t=1119
Last edited by cc001 on Mon Mar 06, 2017 6:27 pm, edited 16 times in total.
My Delegate Node
My Websites:
My Scripts:
My Tutorials:
  • Secure basic setup of a delegate server
  • how to set up 'lisk-rake' (outdated)

User avatar
Frodek
Lisker
Posts: 12
Joined: Mon Apr 04, 2016 2:16 pm

Re: Secure basic setup of a delegate server

Wed Apr 20, 2016 4:01 pm

Thanks! Server will be very secure.

User avatar
Gr33nDrag0n
Lisker
Posts: 123
Joined: Sat Mar 26, 2016 8:22 pm
Location: Quebec, Canada

Re: Secure basic setup of a delegate server

Wed Apr 20, 2016 10:44 pm

Nice Job, will PM you my comments on the lisk chat for improvments.
And thanxs for mentionning my HowTo !
Gr33nDrag0n | 194109334904015388L | Delegate | lisknode.io

User avatar
cc001
Lisker
Posts: 102
Joined: Sat Mar 12, 2016 12:48 pm

Re: Secure basic setup of a delegate server

Thu Apr 21, 2016 5:46 am

Gr33nDrag0n wrote:Nice Job, will PM you my comments on the lisk chat for improvments.
And thanxs for mentionning my HowTo !


thanks, added your comments
My Delegate Node
My Websites:
My Scripts:
My Tutorials:
  • Secure basic setup of a delegate server
  • how to set up 'lisk-rake' (outdated)

User avatar
Videodrome
Lisker
Posts: 57
Joined: Tue Mar 15, 2016 11:49 pm

Re: Secure basic setup of a delegate server

Fri Apr 22, 2016 1:43 pm

Why do you suggest a port between this range?

# go to the line with
'Port 22' and change it to a portnumber between 49152 and 65535
example: 'Port 54321'
I'll refere to this number in the following lines with <new_ssh_port>

thanks

User avatar
cc001
Lisker
Posts: 102
Joined: Sat Mar 12, 2016 12:48 pm

Re: Secure basic setup of a delegate server

Sun Apr 24, 2016 11:41 am

Videodrome wrote:Why do you suggest a port between this range?

Because of this:
http://www.iana.org/assignments/service ... bers.xhtml
Port numbers are assigned in various ways, based on three ranges: System
Ports (0-1023), User Ports (1024-49151), and the Dynamic and/or Private
Ports (49152-65535)
My Delegate Node
My Websites:
My Scripts:
My Tutorials:
  • Secure basic setup of a delegate server
  • how to set up 'lisk-rake' (outdated)

User avatar
Videodrome
Lisker
Posts: 57
Joined: Tue Mar 15, 2016 11:49 pm

Re: Secure basic setup of a delegate server

Sun Apr 24, 2016 1:35 pm

cc001 wrote:
Videodrome wrote:Why do you suggest a port between this range?

Because of this:
http://www.iana.org/assignments/service ... bers.xhtml
Port numbers are assigned in various ways, based on three ranges: System
Ports (0-1023), User Ports (1024-49151), and the Dynamic and/or Private
Ports (49152-65535)


Thanks for the clarification, very helpful!

Phoenix1969
Lisker
Posts: 106
Joined: Sat Apr 02, 2016 6:21 pm
Location: Hawaii
Contact: Website

Re: Secure basic setup of a delegate server

Tue Apr 26, 2016 8:01 am

Kudos.... well written, easy to understand
Vote for Phoenix1969

User avatar
Samurray
Lisker
Posts: 141
Joined: Sat Mar 26, 2016 8:14 am
Location: Romania
Contact: Twitter

Re: Secure basic setup of a delegate server

Thu Apr 28, 2016 12:21 pm

Very good and simple to follow guide. Great work cc001 !
Congrats!
My Candidature : https://forum.lisk.io/viewtopic.php?f=6&t=136

I believe that the first 101 active delegates will have the same amount of responsibility as Country Ambassadors: to secure the succes of Lisk platform wherever they are! Go Lisk !!! ;)

User avatar
metal494
Lisker
Posts: 162
Joined: Sat Mar 26, 2016 2:07 am
Location: Argentina
Contact: Facebook Twitter Skype Google+

Re: Secure basic setup of a delegate server

Sat Apr 30, 2016 4:36 am

Very nice guide mate! I dont think it will be so easy, in the weeking I'm starting to play with this, and another guides here, thanks!

Return to “Guides”

Who is online

Users browsing this forum: No registered users and 2 guests