🧩Multi-Factor Authentication (MFA) for a Validator

Multi-Factor Authentication (MFA) is a crucial security measure for a validator. It prevents unauthorized access to the server, wallet, and critical node management systems.

Setting Up MFA for SSH Access

Enabling Two-Factor Authentication with Google Authenticator

Install Google Authenticator

sudo apt update && sudo apt install libpam-google-authenticator -y

Generate a Secret Key

google-authenticator

A QR code and key will appear. Save your backup codes!

Configure PAM for SSH

sudo nano /etc/pam.d/sshd

Add this line at the beginning:

auth required pam_google_authenticator.so

Enable MFA in the SSH Configuration

sudo nano /etc/ssh/sshd_config

Modify the following parameters:

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

Restart SSH:

sudo systemctl restart sshd

Now, SSH access will require a one-time password (OTP) from Google Authenticator.

MFA for Hardware Security Keys (YubiKey)

Install FIDO2/U2F Support

sudo apt install libpam-u2f -y

Register Your YubiKey

mkdir -p ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys

Press the YubiKey button to confirm registration.

Configure PAM for SSH

sudo nano /etc/pam.d/sshd

Add:

auth required pam_u2f.so

Now, SSH access will require the hardware security key.

MFA for the Validator Wallet

Best Option – Hardware Wallet (Ledger, Trezor)

  • Store private keys on Ledger Nano X or Trezor Model T.

  • Connect only when signing transactions.

  • Keplr + Ledger is an ideal solution for Cosmos validators.

Securing a Hot Wallet

If the wallet is stored on the server, run:

chmod 600 ~/.wallet/keystore
chown username:username ~/.wallet/keystore

  • Backup your mnemonic phrase offline.

  • Restrict access to wallet files using ACL (Access Control List).

MFA for Monitoring and API

Securing Grafana with a Password + MFA

  1. Enable OAuth 2.0 with Google/Auth0 for Grafana.

  2. Restrict access to Grafana with 2FA.

  3. Set up Fail2Ban to protect against brute-force attacks:

sudo nano /etc/fail2ban/jail.local

Add:

[grafana]
enabled = true
port = 3000
filter = grafana
logpath = /var/log/grafana/grafana.log
maxretry = 5
bantime = 3600

Apply changes:

sudo systemctl restart fail2ban

Protecting RPC and API with MFA

Securing RPC Access via NGINX + OAuth

  1. Install NGINX + JWT authentication.

  2. Restrict access to /rpc, /api by IP addresses and keys.

  3. Implement Cloudflare Access to enforce MFA for API access.

Previous🛡️ Protecting Validator from DDoS AttacksNext🚨Monitoring

Last updated