Hop
Search…
Hop
Welcome
JS SDK
Hop Node
Getting started
Requirements
Configuration
Keystore
Staking
Installing Docker
Docker image
Running Docker container
EC2 Setup
Monitoring
Docker CloudWatch Logs
Prometheus Monitoring
AWS Parameter Store Setup
Running in Production
Securing Cloud Instance
Securing Server
SSH 2FA
Additional Security & Node Best Practices
CLI Commands
Contract State
Additional questions
TheGraph Subgraphs
Contract Addresses
Smart Contracts
RPC Endpoints
Fee Calculation
On the web
FAQ
Assets
Powered By GitBook
Securing Server
Things you can do to secure your server running the Hop Node
These are some things you can do to secure an Ubuntu server.
These are examples and it's recommended that do your own research to know what's best for your own server.

Create new user instead of using default user

Create a non-root user with sudo privileges
1
sudo useradd -m -s /bin/bash alice
2
sudo passwd alice
3
sudo usermod -aG sudo alice
Copied!
Copy authorized SSH hosts to new user
1
su - alice
2
sudo cp -r /home/ubuntu/.ssh .ssh
3
sudo chown -R alice:alice .ssh
Copied!
Delete default user
1
sudo deluser --remove-home ubuntu
Copied!

Disable SSH root login

Edit SSH configuration
1
sudo vim /etc/ssh/sshd_config
Copied!
In sshd_config file, make sure to have the following settings:
1
PasswordAuthentication no
2
ChallengeResponseAuthentication no
3
PermitRootLogin prohibit-password
4
PermitEmptyPasswords no
Copied!
Verify changes and reload service
1
sudo sshd -t
2
sudo service ssh reload
Copied!

Only allow specific users for SSH

Edit SSH configuration
1
sudo vim /etc/ssh/sshd_config
Copied!
Edit or add AllowUsers with space separated usernames
1
AllowUsers alice
Copied!
Reload SSH service
1
sudo service ssh reload
Copied!

Disable root account

Disabling the root user account is a good idea
1
sudo passwd -l root
Copied!

Install fail2ban

Installing fail2ban will block out anyone who fails to repeatedly log in
1
sudo apt update
2
sudo apt install fail2ban -y
Copied!
Edit configuration file
1
sudo vim /etc/fail2ban/jail.conf
Copied!
Make sure to have these settings in jail.conf
1
ignoreip = 127.0.0.1/8 ::1
2
3
[sshd]
4
enabled = true
Copied!
Restart services and show status
1
sudo service fail2ban restart
2
sudo service fail2ban status
Copied!

Firewall

All incoming connections can be disallowed. Only outgoing connections need to be allowed.
For example, if using UFW
1
systemctl start ufw.service
2
systemctl enable ufw.service
3
4
sudo ufw default deny
5
sudo ufw allow "22/tcp" # allow SSH port
6
sudo ufw disable # must disable and enable to apply changes
7
sudo ufw enable
8
sudo ufw status
Copied!

Add SSH 2FA

Check out the link below
Previous
Securing Cloud Instance
Next
SSH 2FA
Last modified 7mo ago
Copy link
Contents
Create new user instead of using default user
Disable SSH root login
Only allow specific users for SSH
Disable root account
Install fail2ban
Firewall
Add SSH 2FA