Secure Your Nano Node

As a Nano node operator, you are performing an important service to the community. Your node validates transactions, seeds the block lattice to peers, and if a representative node, votes on the authentic transaction in attempted “double spends” to preserve the integrity of the network. Your node contains valuable information — an “true” copy of the ledger witnessing the transactions that took place using Nano and the balance of each account (frontier).

Being a Distributed Proof of Stake (DPoS) coin, improperly secured representative nodes can come under attack to try and commandeer the voting weight they possess. This is why it is absolutely essential to secure your Nano representative node, especially if it has a significant amount of votes.

Here is a list of best practices we recommend to protect your node from hackers.

Use Public Key Authentication for SSH and Disable Root Login

Any accounts with root or sudo privileges should use public key authentication instead of password authentication. Public/private key pairs are infinitesimally more difficult to hack using a “brute force” attack, compared to a root password — especially simple passwords.

You should consider creating a regular user account, adding it to the “sudo” group, and disabling logins to the root account over SSH. This way there are two redundant layers of security. First, you must authenticate to the Unix user using the private key stored on your client machine, then provide the user account password to escalate to superuser privileges.

On an Ubuntu server, you can create a regular user account, authorize a keypair, disable root and password-based authentication over SSH by following these steps.

1 – Add a regular user account.

Connect to the cloud instance as root by SSH, using the root password or SSH key you supplied when provisioning it.

2 – Specify a long & secure password for this user named “nano” (or any other username of your choice) when prompted, and retype to verify.

adduser nano

3 – Add this user to the sudo group so it can perform privileged commands using sudo or sudo su.

usermod -aG sudo nano

4- If you are running your Nano node in Docker, you will additionally want to add the user account to the docker group so it can execute commands against the Docker CLI to start, stop and restart containers.

usermod -aG docker nano

5- For enhanced security, set up public key authentication for this user. If you don’t have a SSH keypair, here are instructions to generate a RSA key on Mac OS/Linux using OpenSSH in the Terminal, or Windows using PuTTYgen. Make sure to replace your public key below with your actual public key string, which begins with ssh-rsa followed by a long string of random characters.

login nano

mkdir -p ~/.ssh

chmod 0700 ~/.ssh

touch ~/.ssh/authorized_keys

chmod 0644 ~/.ssh/authorized_keys

echo “ssh-rsa your public key” >> ~/.ssh/authorized_keys

6 – Then, disable password authentication and root login over SSH by modifying PermitRootLogin and PasswordAuthentication to no in the SSH server-side configuration file, then restart the SSH daemon.

sudo nano /etc/ssh/sshd_config

PermitRootLogin no

PasswordAuthentication no

sudo service sshd restart

Configure IPTables Firewall

Like any other server, configuring a software firewall is helpful for ensuring your Nano node’s security. Nano only requires port 7075 to be open to the world, for peering with other nodes. For optimal security, port 7076 for RPC commands should be limited to access from localhost, on your loopback address. If you are running a monitoring service such as Nano Node Monitor, you may also want to open port 80 (HTTP) and 443 (HTTPS) to make your stats visible from a browser. And of course, you need to make sure you allow traffic on port 22 (SSH) to avoid locking yourself out of the server.

1- This set of IPTables rules:

  • Allows all outbound traffic
  • Allows inbound traffic from any IP address to SSH (22)
    • Unless you are certain you have a static IP at the location from where you administer your Nano node, we do not recommend binding SSH to a certain IP address or IP block. You can easily lock yourself out of your own server if your IP changes. Instead, consider setting up an additional firewall with your cloud provider such as DigitalOcean Cloud Firewalls or AWS Security Groups to limit access to SSH where you can easily modify the rules from a web dashboard.
  • Allows inbound traffic on port 7075 (udp/tcp) — required to communicate peer-to-peer with other Nano nodes
  • Allows inbound traffic on ports 80 and 443 — enabling web-based services such as Nano Node Monitor
  • Allows all traffic on localhost, enabling use of the RPC port 7076 on the loopback interface
  • Blocks all other inbound traffic

sudo apt update && sudo apt-get upgrade

sudo iptables -A INPUT -i lo -j ACCEPT

sudo iptables -A OUTPUT -o lo -j ACCEPT

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

sudo iptables -I INPUT -p udp --dport 7075 -j ACCEPT

sudo iptables -I INPUT -p tcp --dport 7075 -j ACCEPT

sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT

sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT

sudo iptables -P INPUT DROP

sudo iptables -P FORWARD DROP

sudo iptables -P OUTPUT ACCEPT

sudo apt install iptables-persistent netfilter-persistent

sudo netfilter-persistent save

2 – You should also add the following rules to allow peer-to-peer connections on IPv6.

sudo ip6tables -A INPUT -i lo -j ACCEPT

sudo ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

sudo ip6tables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

sudo ip6tables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7075 -j ACCEPT

sudo ip6tables -A INPUT -m state --state NEW -m udp -p udp --dport 7075 -j ACCEPT

sudo ip6tables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

sudo ip6tables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

sudo ip6tables -P INPUT DROP

sudo ip6tables -P FORWARD DROP

sudo ip6tables -P OUTPUT ACCEPT

sudo netfilter-persistent save