🔒Enhancing SSH Security for a Validator

Securing SSH access is critical to protecting your validator. This guide covers essential security measures to minimize the risk of unauthorized access.

1. Changing the Default SSH Port

By default, SSH runs on port 22, making it an easy target for attacks. Changing it to a non-standard port improves security.

Open the SSH configuration file:
```
sudo nano /etc/ssh/sshd_config
```
Find the line:
```
#Port 22
```
Change it to something like:
```
Port 2222
```
Save changes (Ctrl + X → Y → Enter) and restart SSH:
```
sudo systemctl restart sshd
```

Important: Make sure the new port is allowed in your firewall.

sudo ufw allow 2222/tcp

2. Disabling Password Authentication

Using passwords makes your server vulnerable to brute-force attacks. SSH keys provide better security.

Generating SSH Keys

On your local computer (not the server), run:

ssh-keygen -t ed25519 -C "[email protected]"

This creates private (~/.ssh/id_ed25519) and public (~/.ssh/id_ed25519.pub) keys.

Adding the Key to the Server

Copy the public key to your server:

ssh-copy-id -p 2222 user@your_server

Or manually:

cat ~/.ssh/id_ed25519.pub | ssh -p 2222 user@your_server "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Disabling Password Authentication

Edit the SSH config:

sudo nano /etc/ssh/sshd_config

Find and change:

PasswordAuthentication no

Restart SSH:

sudo systemctl restart sshd

3. Restricting SSH Access to Specific Users

Limit SSH access to selected users for additional security.

In /etc/ssh/sshd_config, add:

AllowUsers validator_user

Restart SSH:

sudo systemctl restart sshd

4. Enabling Two-Factor Authentication (2FA)

Adding 2FA enhances security with an additional authentication step.

Install Google Authenticator:

sudo apt install libpam-google-authenticator

Run the setup:
```
google-authenticator
```
Follow the instructions and scan the QR code in the Google Authenticator app.
Enable 2FA in SSH: Edit /etc/pam.d/sshd and add:
```
auth required pam_google_authenticator.so
```
In /etc/ssh/sshd_config, enable challenge-response authentication:
```
ChallengeResponseAuthentication yes
```
Restart SSH:
```
sudo systemctl restart sshd
```

Use Fail2Ban to protect against brute-force attacks.

Installing and Configuring Fail2Ban

sudo apt install fail2ban -y

Create a configuration file:

sudo nano /etc/fail2ban/jail.local

Add:

[sshd]
enabled = true
port = 2222
maxretry = 3
findtime = 600
bantime = 3600

Restart Fail2Ban:

sudo systemctl restart fail2ban

6. Restricting SSH Access by IP (Whitelist)

If you have a static IP, restrict SSH access to that IP only.

Edit /etc/hosts.allow:

sshd: 192.168.1.100

Block all other IPs in /etc/hosts.deny:

sshd: ALL

7. Configuring the Firewall (UFW)

Close unnecessary ports and allow only the SSH port you set.

sudo ufw allow 2222/tcp
sudo ufw enable

Check firewall status:

sudo ufw status verbose

8. Monitoring SSH Access

Check active SSH sessions:

who

View login attempts:

sudo cat /var/log/auth.log | grep "Failed"

Now your SSH access is well-protected. The key security measures include SSH keys instead of passwords, 2FA, Fail2Ban, and firewall rules.

Previous🔐 Validator Security: Our Approach and Protection Measures Next📡 TMKMS for Remote Signing

Last updated 11 months ago

hashtag1. Changing the Default SSH Port

hashtag2. Disabling Password Authentication

hashtagGenerating SSH Keys

hashtagAdding the Key to the Server

hashtagDisabling Password Authentication

hashtag3. Restricting SSH Access to Specific Users

hashtag4. Enabling Two-Factor Authentication (2FA)

hashtag5. Limiting Failed Login Attempts

hashtagInstalling and Configuring Fail2Ban

hashtag6. Restricting SSH Access by IP (Whitelist)

hashtag7. Configuring the Firewall (UFW)

hashtag8. Monitoring SSH Access