### Security Practices ### This guide is designed to help you make your server more secure. ### It is not designed to be 100% all encompassing. Configuration is contingent on what is suitable for you. ### It is not designed to be a guide for normal system operations and functions. ### This an ongoing runbook that can be updated and improved. ### Keep in mind: Protecting systems is a balancing decision. Security vs Availability. ### Paranthesis "", brackets <>, and others may be used when giving examples. These are not needed when executing the commands. Updates: Keeping your Server updated: Grab update software: "sudo apt-get update" Run the updates: "sudo apt-get upgrade" Reboot if required: sudo reboot Secure user login and authentication: Generate an SSH Key and use this for login: "ssh keygen" can be used. This is a basic private/public keyPair Suggest using "ssh keygen -t rsa -n 4096" Will not be going into detail in this section. Simply put, this is a much more secure key. Note: ECDSA is also an option instead of RSA During the key generation, name the file and give it a passphrase. Do not leave this empty. Exampe: "superSecureKey" A private key with the file name above will be generated. Also, a public key of "superSecureKey".pub. This is used to provide to the remote system which will be logging into the server. Now attempt to remotely log in to your server using the public key. ssh -i ~/.ssh/"superSecureKey" root@x.x.x.x Enter passphrase configured above. Create new user, with ability to log in with new ssh key and "super user" permissions, and disable root login and password login Create a new user: "adduser jane". Create password. Leave all additional information blank. Not required. Add jane to the administration group: "sudo gpasswd -a bob sudo" Each user has its own folder structure. Add the public key to the new user (jane) Copy the entire key printed out on screen from: "sudo cat ~/.ssh/authorized_keys" Login to the user: "su jane" Make the folder for where the key will be: "mkdir -p ~/.ssh" Make the file: "sudo touch ~/.ssh/authorized_keys" Edit the file sudo nano ~/.ssh/authorized_keys Paste the key copied above ctrl+x, then type y, then hit enter Set permissions on the file and folder: sudo chmod 700 ~/.ssh/ sudo chmod 600 ~/.ssh/authorized_keys 600 = Read/Write permissions, not execute. 700 = Read/Write/Execute permissions Set ownership: sudo chown -R jane:jane ~/.ssh jane(user belongs to...):jane(...this group) Leave the current window up and open another terminal window: Try logging in with jane and ensure this is successful: ssh -i ~/.ssh/"nameofyourkey" jane@x.x.x.x Now disable root login: Edit the sshd configuration file: "sudo nano /etc/ssh/sshd_config" You will find within the file, "#Port 22". Remove the "#" symbol and change to something other than 22. For example: 2299 Then go down to "PermitRootLogin yes" .... change "yes", to "no". Restart service: "sudo systemctl restart sshd" Do not log out. Go back to other window where jane is logged in and ensure you can still log in with jane: Ensure successful for jane: "ssh -i ~/.ssh/"nameofyourkey" bob@1.1.1.1 -p 2299" Ensure failure for root: Change user to root and ensure this fails Further user security: Use MFA - Multi factor authentication. Two factor is a standard best practice. For example, if using a hosting service such as Digital Ocean, set up ssh key along with Google Autheticator. Commands next: sudo apt install libpam-google-authenticator -y Edit PAM module: sudo nano /etc/pam.d/sshd Add line: auth required pam_google_authenticator.so Restart sshd: sudo systemctl restart sshd Edit sshd config: sudo nano /etc/ssh/sshd_config Find ChallengeResponseAuthentication no ... change to yes Find UsePAM no ... change to yes Execute: google-authenticator These questions will be asked and are suggested settings: Make tokens “time-base”": yes Update the .google_authenticator file: yes Disallow multiple uses: yes Increase the original generation time limit: no Enable rate-limiting: yes Note: The scratch codes that appear are for emergency use. Write them down. Open Google Authenticator on your phone and add your secret key Hardening OpenSSH: Some recommendations have already been discussed above and will not be re-mentioned. The "#" symbol means "commented out". Which also means to not use that line. Removing it will make that line effective. Backup sshd config prior to any changes being made "sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak Test/Validate/Print effective configuration navigate to "/etc/sshd" execute "sudo sshd -T" After completing any hardening changes below, re-execute "sudo sshd -T" to validate syntax. Also execute "sudo service sshd reload" To edit the configuration, use: "sudo nano /etc/ssh/sshd_config" Limit max number of authentication attempts for single login session: Find MaxAuthTries. Good practice is to set this value to "3". Reduce time user has to complete authentication after initial connection, in seconds: Find LoginGraceTime. Good practice is 20. Set what you are comfortable with This aids with preventing certain types of denial-of-service attacks Empty Password: Most importantly, empty password should never be set on a user. If using password authentication: Ensure no empy password login attempts: Change PermitEmptyPasswords "yes", to "no". Disabling unused authentication methods: If using SSH login, and not other methods, these can be disabled and set to "no". ChallengeResponseAuthentication no KerberosAuthentication no GSSAPIAuthentication no Uncommonly uses features: (Always verify these are not being used in your configuration before disabling) Disabling remote graphical views over SSH connections: X11Forwarding no Disable using env variables remotely: PermitUserEnvironment no Also add a "#" (hash) to the beginning of any line referencing AcceptEnv If not using tunneling or forwarding: AllowAgentForwarding no AllowTcpforwarding no PermitTunnel no SSH Banner - Enabled by default and shows varying information of your server: DebianBanner no May not be present in ssh config. If not, then simply add to the bottom of the file: Allow Lists: Restricting access to certain IPs or Users: There are varius ways of doing this within the ssh config file. Example below: AllowUsers *@x.x.x.x - restricts to all users on specific IP AllowUsers *@x.x.x.x/xx - restricts all users to certain subnet, using IP/CIDR. Example: *@207.13.147.0/24 AllowUsers jane@207.13.147.121 - restrict to specific user from specific IP Prevent user from interactive login, but use non-interactice to allow for task such file transfers sudo usermod --shell /usr/sbin/nologin jane (change usermod to adduser if also creating the user) This user will no longer be able to use sudo. But can for example, still use FileZilla to log in with SFTP Restrict a users with SFTP access. Add this to your sshd_config file: Match user jane (jane is consistently the example user in this file) ForceCommand internal-sftp (forces specific command, and internal-sftp specifically launches sftp dameon without need for system files) ChrootDirectory /home/jane (or any other path you want to allow access to) *FOR THE ABOVE GENERAL LINUX SECURITY SECTION, I AM THINKING OF MORE THINGS TO ADD* *NEXT SECTION IS SPECIFIC TO THE CARDANO NODE* ###Cardano-Node Security Practices ###Configuration based on Cardano Node ###CoinCashew has a great guide on UFW configuration, repurposed here. Provided other addtional rules and context (grafana and more). UFW:(Uncomplicated Firewall) #https://www.coincashew.com/coins/overview-ada/guide-how-to-build-a-haskell-stakepool-node/how-to-harden-ubuntu-server #It is best to block incoming trafffic and only allow what is needed. #Outgoing traffic can by default, be allowed. Deny incoming traffic: sudo ufw default deny incoming Allow outbound trafffic: sudo ufw default allow outgoing Allow SSH on configured port: sudo ufw allow ssh #/tcp Configure p2p port: sudo ufw allow 6000/tcp Configure to allow connections from specific IPs: sudo ufw allow from Configure on Block Producer Node: (only allow relay to connect sudo ufw allow proto tcp from to any port Configure on Relay Node using iptables: sudo iptables -I INPUT -p tcp -m tcp --dport --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 5 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset Fail2ban: (IPS, or Intrusion Prevention System) Install: "sudo apt-get install fail2ban" Configure: edit the config file, which is empty by default "sudo nano /etc/fail2ban/jail.local" Add configuration text: [sshd] enabled = true port = <22 or your random port number> filter = sshd logpath = /var/log/auth.log maxretry = 3 # whitelisted IP addresses ignoreip = Restart fail2ban to implement: sudo systemctl restart "fail2ban" Cardano Node Keys: Relay Node: Should not maintain any certs, vrf, skey or cold keys. Block Producer Node: Only 3 keys needed to run this node: kes.skey, vrf.skey, and node.cert Air-gapped Node: This is a standard Cardano-Node, with no outside connection of any kind. CoinCashew stake pook guide shows how to use this. Maintain all other keys here. This system will be used to build your transactions. The step done on your actual nodes, is the submission of the transaction. Hardening and Pen Testing #Many of the configurations above can be used for Pen testing. #For example, testing login over certain ports, or using empty passwords, or non-allowed IPs, or multiple unauthenticated sessions #This will give you some things to check. This is not a full blown Pen Test #Instead, this provides you with some ways to validate your configuration #The idea is that there is a demonstratable way to report to community/delegators, level of security Routinely verify active listening ports and other useful network related information netstat -tulpn ss - tulpn netstat -a Review NIC information and details Ethtool example: sudo ethtool eth0 (or whatever interface you want to review) Monitor ethernet activity such as ip or mac changes arpwarch example: sudo arpwatch -i eth0 arpwatch is written to /var/log/messages Can also view current ARP table: "arp -a" Verify if remote ports are open on a server telnet example: telnet 192.168.22.33 2299 ... telnet Review current logged in users w command - Use "w" to see currently logged in users and details example: use "w --help" to see additional arguments Below are a few tools as examples to look into: (Also found below in reference links) tcpdump and tshark (wireshark) Most commonly used packet analyzers. Great for watching all traffic/packets for specific tracing/analyzing Kali Linux and Metasploitable Kali can be installed on many operating systems: Linux, Raspberry Pi, WSL (Windows Subsystem for Linux, VMWare, Docker) Comes with many pre-built tools for pen testing your environment. Many guides are available. Logwatch Many of your logs are found in /var/log, however they contain a large amount of information. Logwatch will reduce this by filtering out common/expected log entries, to make this more readable. Nmap Scanning tool with vulnerability script checks. Widely used, comprensive, and easy to get going. Install nmap and start with some basic commands: Examples: nmap --all ports and services nmap -sC --scan using all default .nse scripts Suggested Pen Testing References: https://github.com/wtsxDev/Penetration-Testing - Tools used for pen testing https://github.com/enaqx/awesome-pentest - Tools used for pen testing https://github.com/arch3rPro/PentestTools - Tools used for pen testing https://book.hacktricks.xyz/linux-unix/privilege-escalation - Comprehensive guide on privilege-escalation, session hijacking, SSH, ACLs, and much more) https://gist.github.com/lokhman/cc716d2e2d373dd696b2d9264c0287a3 - ubuntu hardening https://dfir.training/ - Only if you are curious to dive deeper into the world of Digital Forensics And if you really are interested, check out FTKimager lite https://www.hackers-arise.com/ - Not the most pleasant site, but a ton of great Linux information. We do not use this site much; use at your own discretion.