This series of articles will help you tighten up your node to make it more difficult for a malicious actor or bot to succeed in taking control of your node.
If that first paragraph made you queasy then it’s how I feel when I think about this whole subject of someone taking what’s mine! Same for you right?
Prerequisite: This guide is to be used AFTER the great Winston Wolf guide that can be found here. We also come from the point of view you are running a windows machine to connect to your node which I guess is likely the majority scenario.
Your node is public, and listed in public view see below:
Bots WILL have a go at your node, so this is why we have to make security our number one priority alongside running the actual node.
My computer — a perfectly ordinary desktop PC — had over 4,000 attempts to guess my password and almost 2,500 break-in attempts in the last week alone. Source: https://help.ubuntu.com/community/SSH/OpenSSH/Keys
To harden your node to make it harder to attack we will be covering the following topics after first taking a snapshot.
- Creating an SSH Key in PuttyGen
- Assigning the SSH Private Key to Putty
- Turning off password authentication
- Modifying the default SSH port no
- Setup Other Apps including Canonical Livepatch Service and Fail2ban.
Lets Start!
Lets first go and create a snapshot so we have exactly what we have now to restore to if things go wrong!
Login to your VPS control panel. I’m with Vultr so if you are too you can follow my screenshots and do this with me. Follow the black and white labels on the screenshots till further notice.
The snapshot will be actioned in a little while so why not go for a break and come back in 10–15 minutes. Refresh the page when you get back to see if the pending status has changed to available…..
Like so…
Now we have a snapshot in case it all doesn’t quite go to plan.
What are SSH Keys
So if you’re new to Ubuntu and nodes and everything, you may be wondering what are SSH keys and why are they better than just using a long password?
SSH Keys use public private key cryptography in a similar way to your crypto does, instead of a password so they are much much harder to brute force.
Instead of re-inventing the wheel i found a great easy to digest article here: Password Authentication VS SSH Authentication if you are wondering the differences, pros, and cons to both authentication methods.
Creating an SSH Key in Puttygen
We will be creating the key in puttygen. If you previously installed putty you will already have puttygen installed just search for it on your start menu. Otherwise you can install it from here.
Launch Puttygen. Once puttygen has started, change the bytes to 4096 down the bottom right as the longer key is more secure.
Now click on generate. Now proceed to wiggle the cursor in a random pattern on the puttygen area. The randomness of the mouse is the perfect way to make an SSH key. See short video below.
https://geordier.co.uk/videos/generate_putty.mp4
Once the key is finished generating, add a passphrase by filling in the passphrase boxes. See the next screenshot a few paragraphs down.
I chose Diamond[]Encrusted[]Sandcastles which is some random words together, its easy to picture, and a huge 31 characters. You may choose something smaller and easier to remember if you wish its up to you.
Now click save private key. This is stored on your PC to connect to the node. This must be backed up somewhere safe and not given to anyone.
I chose to create a folder on my C drive called coti and i named the file my_p_key.ppk however you can name it anything you like. You can even name it my_p_key.zip and be sneaky which will hide the fact that it really is a PPK in disguise ;)
REMEMBER — BACKUP THE PRIVATE KEY FILE! Maybe keep it in a Multi factored password manager like LastPass. It even can store files as well as passwords which is perfect for this scenario.
Copy the text out of the public key textbox like in the screenshot below. This is the public key needed for your node.
Now open a plain text editor like Notepad and paste the key in to there.
Note: Make sure there are no extra space or lines before or after your pasted text.
Now save the public key in notepad. I called mine my_pub_key.txt
Tip: You may even add this key to your Vultr SSH keys section in case you want to deploy a node in the future with this public key already implanted.
Now with the public key still copied in your clipboard, go to your node in putty and type the following two commands. The first one creates the SSH folder and the second one sets the permissions for it.
mkdir -p /root/.ssh
chmod 700 /root/.ssh/
Now lets create a new file with nano which will hold our public key. It must be called authorized_keys. Type the command below then press enter.
nano /root/.ssh/authorized_keys
Right click on the putty screen and you will see the key paste in that we copied earlier.
Note: A right click on a putty terminal is basically a “paste” of the clipboard.
Now press Ctrl + X to exit, then press Y to confirm the changes, and then press Enter to confirm the Save action.
Next we need to set the authorized_keys file to the correct permissions. In putty type the following line.
chmod 600 /root/.ssh/authorized_keys
Do you have another Ubuntu user setup i.e. coti? If so, copy the SSH keys to your username by copying the ENTIRE following code and pasting it into your putty terminal.
sudo wget https://raw.githubusercontent.com/Geordie-R/CopyRootSSH/master/copyrootssh.sh && sudo chmod +x copyrootssh.sh && sudo ./copyrootssh.sh && sudo rm copyrootssh.sh
If will first ask you for your username. If you followed Winston Wolfe’s guide this is likely to be coti.
Ok now both of the users should be under the same SSH key, and will login with the same SSH passphrase.
Lets do a restart of the ssh service before we setup putty with our private key. Enter the following and press enter.
service sshd restart
Close the putty terminal we will open a fresh one later.
Assigning the private key to putty
Open putty if its not open in the background.
We will configure Putty to add our private key we created earlier. Follow the following screenshots clicking where the numbers point to
Browse to your private key we created earlier with puttygen.
Now after clicking open above we should click back on Session so we can save the session.
Then in number (1) below, create a new session name or choose your existing coti session that you have used previously, then press Save (2)
That’s almost it! Well, what we have now done is allow our SSH key which will ask us our passphrase, but what we haven’t done yet is turn off the ability for your old password to be used. We will do this once we know our SSH key works.
If this whole process has worked you will know as soon as you open your putty session as it will look differently once you give your root username.
Yes! We are now logging in with SSH keys as the screenshot above basically tell us so. We now need to give the passphrase we created earlier. I used Diamond[]Encrusted[]Sandcastles and after i type it and press enter, we are in!
Turn off password authentication
nano /etc/ssh/sshd_config
Now use the arrow keys on your keyboard to scroll down the page until you come to password authentication like so.
Now remove the hash and turn the yes to a no like so
This will turn off the ability for anyone to only use a username and password to connect to your node. They will now need your SSH private key ;)
service sshd restart
Perfect! You’re all setup. Give it a try!
Thats the end of Part1.
Now you are ready for Part2: https://link.medium.com/2zbGIBpus3
Need a VPS for your COTI node?
If you have got this far it is likely that you already have a node, but if not, my referral link will get you access to $100 credit to test out VULTR*: https://www.vultr.com/?ref=8377274-6G
* Duplicate accounts not eligible. Referred customer must link a valid credit card or Paypal method to be eligible for the $100 credit. Note: Unused portion of $100 credit expires after 30 days.