# 🧩Multi-Factor Authentication (MFA) for a Validator ### Setting Up MFA for SSH Access #### **Enabling Two-Factor Authentication with Google Authenticator** **Install Google Authenticator** ```bash sudo apt update && sudo apt install libpam-google-authenticator -y ``` **Generate a Secret Key** ```bash google-authenticator ``` A QR code and key will appear. **Save your backup codes!** **Configure PAM for SSH** ```bash sudo nano /etc/pam.d/sshd ``` Add this line at the beginning: ``` auth required pam_google_authenticator.so ``` **Enable MFA in the SSH Configuration** ```bash sudo nano /etc/ssh/sshd_config ``` Modify the following parameters: ``` ChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactive ``` Restart SSH: ```bash sudo systemctl restart sshd ``` Now, SSH access will require a one-time password (OTP) from Google Authenticator. *** ### MFA for Hardware Security Keys (YubiKey) **Install FIDO2/U2F Support** ```bash sudo apt install libpam-u2f -y ``` **Register Your YubiKey** ```bash mkdir -p ~/.config/Yubico pamu2fcfg > ~/.config/Yubico/u2f_keys ``` Press the YubiKey button to confirm registration. **Configure PAM for SSH** ```bash sudo nano /etc/pam.d/sshd ``` Add: ``` auth required pam_u2f.so ``` Now, SSH access will require the hardware security key. *** ### MFA for the Validator Wallet #### **Best Option – Hardware Wallet (Ledger, Trezor)** * Store private keys on **Ledger Nano X** or **Trezor Model T**. * Connect only when signing transactions. * **Keplr + Ledger** is an ideal solution for Cosmos validators. #### **Securing a Hot Wallet** If the wallet is stored on the server, run: ```bash chmod 600 ~/.wallet/keystore chown username:username ~/.wallet/keystore ``` * **Backup your mnemonic phrase offline.** * Restrict access to wallet files using **ACL (Access Control List).** *** ### MFA for Monitoring and API **Securing Grafana with a Password + MFA** 1. Enable **OAuth 2.0** with Google/Auth0 for Grafana. 2. Restrict access to Grafana with **2FA**. 3. Set up Fail2Ban to protect against brute-force attacks: ```bash sudo nano /etc/fail2ban/jail.local ``` Add: ``` [grafana] enabled = true port = 3000 filter = grafana logpath = /var/log/grafana/grafana.log maxretry = 5 bantime = 3600 ``` Apply changes: ```bash sudo systemctl restart fail2ban ``` *** ### Protecting RPC and API with MFA **Securing RPC Access via NGINX + OAuth** 1. Install **NGINX + JWT authentication**. 2. Restrict access to `/rpc`, `/api` by IP addresses and keys. 3. Implement **Cloudflare Access** to enforce **MFA for API access**. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://services.validexis.com/validator-security-our-approach-and-protection-measures/multi-factor-authentication-mfa-for-a-validator.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.