ChainOS Node Security

Security Overview

Securing your ChainOS node is critical for maintaining network integrity and protecting your assets. This guide covers best practices for system hardening, key management, and network security.

Why Security Matters

Proper security measures are essential for several reasons:

System Security

Start with securing the underlying operating system:

Operating System Hardening

Update Regularly

Keep your system updated with security patches:

# Update package lists
sudo apt update

# Apply security updates
sudo apt upgrade -y

# Enable automatic security updates
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

Minimize Attack Surface

Remove unnecessary services and packages:

# List installed packages
dpkg -l

# Remove unnecessary services
sudo apt remove --purge apache2 bind9 samba

# Disable unused services
sudo systemctl disable bluetooth.service
sudo systemctl disable cups.service

User Management

Implement proper user access controls:

# Create a dedicated user for running ChainOS
sudo useradd -m -s /bin/bash chainos

# Add to sudo group if necessary (limit this)
sudo usermod -aG sudo chainos

# Set strong password
sudo passwd chainos

# Disable root login
sudo passwd -l root

SSH Security

Secure SSH access to your server:

# Edit SSH configuration
sudo nano /etc/ssh/sshd_config

# Recommended settings
Port 2222                    # Change default port
PermitRootLogin no           # Disable root login
PasswordAuthentication no    # Disable password authentication
PubkeyAuthentication yes     # Enable key-based authentication
AllowUsers chainos           # Only allow specific users
MaxAuthTries 3               # Limit authentication attempts
ClientAliveInterval 300      # Client timeout
ClientAliveCountMax 2        # Maximum client alive count

# Restart SSH service
sudo systemctl restart sshd

Firewall Configuration

Implement a restrictive firewall policy:

# Install UFW (Uncomplicated Firewall)
sudo apt install ufw

# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH on custom port
sudo ufw allow 2222/tcp

# Allow ChainOS P2P port
sudo ufw allow 26656/tcp

# Allow specific RPC access (if needed)
sudo ufw allow from 203.0.113.0/24 to any port 26657 proto tcp

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status verbose

Intrusion Prevention with Fail2ban

Install and configure Fail2ban to prevent brute force attacks:

# Install Fail2ban
sudo apt install fail2ban

# Create a custom configuration
sudo nano /etc/fail2ban/jail.local

# Add the following configuration
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

# Restart Fail2ban
sudo systemctl restart fail2ban

ChainOS-Specific Security

Secure your ChainOS node with these specific measures:

Key Management

Properly secure your validator and node keys:

Validator Key Security (for validators)

The priv_validator_key.json file is critical for validators:

  • Store in a Hardware Security Module (HSM) if possible
  • Set restrictive file permissions: chmod 400 ~/.chainosd/config/priv_validator_key.json
  • Create encrypted backups stored securely offline
  • Consider using remote signing setup for additional security

Node Key Security

Secure your node_key.json file:

# Set proper permissions
chmod 400 ~/.chainosd/config/node_key.json

# Create a secure backup
tar -czf node_key_backup.tar.gz ~/.chainosd/config/node_key.json
gpg -c node_key_backup.tar.gz
mv node_key_backup.tar.gz.gpg /secure-backup-location/

RPC Security

Secure your RPC endpoints:

# In ~/.chainosd/config/config.toml

# Bind RPC server to localhost only
[rpc]
laddr = "tcp://127.0.0.1:26657"

# Limit connections
max_open_connections = 100
max_subscription_clients = 10
max_subscriptions_per_client = 5

# Disable unnecessary CORS
cors_allowed_origins = []

API Security

Secure API endpoints:

# In ~/.chainosd/config/app.toml

# Bind API server to localhost only
[api]
address = "tcp://127.0.0.1:1317"
enable = true
enabled-unsafe-cors = false

# Bind gRPC server to localhost only
[grpc]
address = "127.0.0.1:9090"

Reverse Proxy Setup

Use a reverse proxy for public-facing endpoints:

# Install Nginx
sudo apt install nginx

# Create Nginx configuration
sudo nano /etc/nginx/sites-available/chainos

# Add configuration
server {
    listen 443 ssl;
    server_name node.example.com;

    ssl_certificate /etc/letsencrypt/live/node.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/node.example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;

    # Rate limiting
    limit_req_zone $binary_remote_addr zone=rpc:10m rate=10r/s;
    limit_req_zone $binary_remote_addr zone=api:10m rate=5r/s;

    # RPC endpoint
    location /rpc/ {
        limit_req zone=rpc burst=20 nodelay;
        proxy_pass http://127.0.0.1:26657/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # REST API endpoint
    location /api/ {
        limit_req zone=api burst=10 nodelay;
        proxy_pass http://127.0.0.1:1317/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Basic auth for certain endpoints
    location /rpc/net_info {
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd;
        proxy_pass http://127.0.0.1:26657/net_info;
    }
}

# Enable the site
sudo ln -s /etc/nginx/sites-available/chainos /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl restart nginx

Network Security

Implement these network security measures:

Sentry Node Architecture

For validators, implement a sentry node architecture to protect your validator node:

Sentry Node Setup

Sentry Node Architecture

In this setup:

  • Validator node is in a private network with no public connections
  • Sentry nodes are public-facing and relay transactions to the validator
  • Validator only connects to trusted sentry nodes

Configure your validator's config.toml:

# Validator node configuration
[p2p]
pex = false
persistent_peers = "sentry_node_id@sentry_node_internal_ip:26656"
private_peer_ids = ""
addr_book_strict = false
unconditional_peer_ids = "sentry_node_id"
max_num_outbound_peers = 10
max_num_inbound_peers = 0  # Disable inbound connections

Configure your sentry node's config.toml:

# Sentry node configuration
[p2p]
pex = true
persistent_peers = "validator_node_id@validator_node_internal_ip:26656,other_sentry_node_id@other_sentry_node_ip:26656"
private_peer_ids = "validator_node_id"  # Keep validator private
addr_book_strict = false
unconditional_peer_ids = "validator_node_id"

DDoS Protection

Implement DDoS protection measures:

VPN for Private Communication

Set up a VPN for secure communication between nodes:

# Install WireGuard
sudo apt install wireguard

# Generate keys
wg genkey | tee privatekey | wg pubkey > publickey

# Create WireGuard configuration
sudo nano /etc/wireguard/wg0.conf

# Example configuration for server
[Interface]
PrivateKey = server_private_key
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = client_public_key
AllowedIPs = 10.0.0.2/32

# Enable and start WireGuard
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Security Monitoring

Implement security monitoring for your node:

Log Monitoring

Monitor logs for suspicious activity:

# Install log monitoring tools
sudo apt install logwatch

# Configure daily email reports
sudo nano /etc/logwatch/conf/logwatch.conf
# Set: MailTo = your-email@example.com

# Monitor authentication logs in real-time
sudo tail -f /var/log/auth.log | grep "Failed password"

# Monitor ChainOS logs
tail -f ~/.chainosd/logs/chainos.log | grep "ERR"

Intrusion Detection

Set up intrusion detection with OSSEC:

# Install OSSEC
wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz
tar -xzf 3.6.0.tar.gz
cd ossec-hids-3.6.0
./install.sh

# Follow the installation prompts to set up email notifications
# and configure which files to monitor

Security Checklist

Use this checklist to ensure your node is properly secured:

System Security

  • ☐ Operating system fully updated
  • ☐ Unnecessary services disabled
  • ☐ Strong user password policies
  • ☐ SSH hardened (key-based auth, non-standard port)
  • ☐ Firewall configured with minimal open ports
  • ☐ Fail2ban or similar intrusion prevention installed
  • ☐ Automatic security updates enabled

ChainOS Security

  • ☐ Validator key properly secured (HSM or restricted permissions)
  • ☐ Node key properly secured
  • ☐ RPC endpoints secured (localhost or authenticated)
  • ☐ API endpoints secured
  • ☐ Reverse proxy with TLS and rate limiting configured
  • ☐ Sentry node architecture implemented (for validators)
  • ☐ Regular key backups stored securely

Monitoring and Response

  • ☐ Log monitoring configured
  • ☐ Intrusion detection system installed
  • ☐ Security alerts set up
  • ☐ Incident response plan documented
  • ☐ Regular security audits scheduled
  • ☐ Backup and recovery procedures tested

Security is Ongoing

Remember that security is not a one-time setup but an ongoing process. Regularly review and update your security measures as new threats emerge and best practices evolve.

Need Help?

If you need assistance with node security, join our Discord community where our team and other node operators can help.