Developers Forum for XinFin XDC Network

Cover image for [Informative] Securing your Apothem Testnet Masternode
s4njk4n
s4njk4n

Posted on • Updated on

[Informative] Securing your Apothem Testnet Masternode

Note 1: This article is designed as an Addendum to this article on securing XDC Mainnet masternodes running on Ubuntu 20.04LTS. The issues for masternodes running on the Apothem Testnet are similar to those covered in the Mainnet article but the client ports and paths to certain commands differ. Below you will find section headings that correspond to the same headings in the Mainnet article. Each section will contain the relevant port information specific to Apothem and appropriately altered code snippets for you to use to acheive the same results on the Apothem Testnet. Please refer back to the original Mainnet article for information other than code snippets and ports.

Note 2: Although this guide refers to masternodes, it will also work for standby nodes as well as non-validator nodes (as long as they are reachable via a public IP address). For non-validator nodes using HTTP/Websocket JSON-RPC connection, you'll also need to take into account your specific port access requirements when dealing with ports 8898 and/or 8999.


Keeping your node up-to-date with the latest security patches

Once again we separately consider the server OS and the Apothem Testnet client.

Regarding the Server OS

Updating the OS packages on your server is very similar to the Mainnet instructions but with a minor path adjustment to the testnet directory when stopping and restarting the client. When using ssh to connect to your server, remember to replace “root” in the command with your actual username for the remote server, and replace ip.address with the actual IP address of the remote server:

ssh -lroot -p22 ip.address
Enter fullscreen mode Exit fullscreen mode

Then:

sudo apt update -y && sudo apt upgrade -y && sudo apt autoremove -y
cd ~/XinFin-Node/testnet
sudo ./docker-down.sh
sudo reboot
Enter fullscreen mode Exit fullscreen mode

After your server has rebooted we need to reconnect to it and restart the Apothem client. First step is to reconnect:

ssh -lroot -p22 ip.address
Enter fullscreen mode Exit fullscreen mode

Then restart the client:

cd ~/XinFin-Node/testnet
sudo ./docker-up.sh
logout
Enter fullscreen mode Exit fullscreen mode

Regarding the Apothem Testnet Client

At present there is no upgrade script for the Apothem Testnet client. The Apothem tree can be seen here and XinFin docker image versions can be seen here.

Unless guided by XinFin there is nothing extra to do here.


Using a strong and unique password

Use same instructions from the Mainnet article here. No changes.


Change your SSH port and enable firewall rules to restrict access to the node

Ports on the Apothem Testnet client are different to those on the Mainnet client. From examining an Apothem Testnet client's docker-compose.yml file shown in the image below, we can see that clients on the Apothem Testnet use:

  • Port 30304 for RLPx(TCP)/UDP peer-to-peer communications allowing node discovery and connection to peers
  • Port 8999 for HTTP JSON-RPC API which allows external applications to interact with the Apothem blockchain
  • Port 8898 for Websocket communications between external applications and the Apothem blockchain

Apothem Testnet docker-compose.yml

The processes for securing the ports of your server running the Apothem Testnet client are similar to those for the Mainnet client. As previously, we will assume that your masternode is being used only for the purpose of maintaining the Apothem Testnet blockchain and does not require RPC/Websocket access for external applications to use. (If you are using ports 8898 and/or 8999, you will need to ensure they are open for whatever access you require). The steps we will use are:

  • Change our SSH port from 22 to a different number to make it harder for random malcontents to connect
  • Use a firewall to block ALL incoming ports
  • Then open ONLY ports 30304 and our new SSH port
  • We will leave ports 8898 and 8999 blocked (filtered) as we are assuming that these are not needed as noted above

Changing the SSH port from 22 to a different number uses exactly the same steps as in the Mainnet article. Please follow the steps in the Mainnet article to modify /etc/ssh/sshd_config

Then restart your ssh service with:

sudo service ssh restart
Enter fullscreen mode Exit fullscreen mode

Note: Whenever we have previously used "-p22" as part of our command to connect to a VPS via SSH, this is specifying to ssh what port the remote server is using for ssh. From now on whenever you connect to your Apothem Testnet node, you will need to change the 22 in "-p22" to your new port number instead.

UFW Uncomplicated Firewall

Same as for the Mainnet nodes, we will use ufw for our firewall configuration. Install ufw:

sudo apt install ufw
Enter fullscreen mode Exit fullscreen mode

Establish our default policies to block ALL incoming traffic and only allow outgoing traffic:

sudo ufw default deny incoming
sudo ufw default allow outgoing
Enter fullscreen mode Exit fullscreen mode

Open up port 30304 so the Apothem Testnet client is discoverable by peers:

sudo ufw allow 30304
Enter fullscreen mode Exit fullscreen mode

IMPORTANT: Next we need to ensure that we open up our SSH port (22 or whatever port number you changed it to):

sudo ufw allow <yourSSHport>
Enter fullscreen mode Exit fullscreen mode

Enable UFW then stop the Apothem Testnet client and reboot the server:

sudo ufw enable
cd ~/XinFin-Node/testnet
sudo ./docker-down.sh
sudo reboot
Enter fullscreen mode Exit fullscreen mode

Now ssh to your server to test your new ssh port number.

If unable to connect, find the console for that VPS on your VPS-provider’s website. Use it to login and do whatever you need to do.

After rebooting, we need to restart the Apothem Testnet client, so first SSH to the VPS:

ssh -lroot -p<yourSSHport> ip.address
Enter fullscreen mode Exit fullscreen mode

Restart the Apothem Testnet client and logout of your server:

cd ~/XinFin-Node/testnet
sudo ./docker-up.sh
logout
Enter fullscreen mode Exit fullscreen mode

Use SSL/TLS encryption to secure communication with the node

No changes from the Mainnet article.


Implement access controls to limit who can interact with the node

No changes from the Mainnet article.


Regularly monitor it for any suspicious activity or unauthorized access attempts

Use same instructions from the Mainnet article here. No changes.


By first reading the article on Securing Mainnet XDC Masternodes and then implementing the information in this Addendum, you will similarly be able to secure your Apothem Testnet Masternode.

In case of any technical queries on Apothem Network, feel free to drop your queries on XDC.Dev forum.

Quick links:

XinFin.org
XDC Chain Network Tools and Documents
XDC Network Explorer
XDC Dev Forum
Beta — XDC Web Wallet
XDC faucet

XinFin — XDC Social Links:

Twitter
GitHub
Telegram
Facebook
LinkedIn
YouTube


Discussion (0)