Shulou(Shulou.com)06/01 Report--

What are the recommended steps for building NEO consensus nodes? in view of this problem, this article introduces the corresponding analysis and solutions in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Consensus node recommends building steps for remote access

Remote access to machines is limited to SSH authentication using public keys and Yubico4/NEO entity public keys.

Hardware

For security reasons, nodes should not run on shared machines, but should be hosted in more secure data centers such as Deltalis, Equinix and A1 Arsenal. The following laaS vendor hardware configurations can be used as a reference for the ideal configuration in 2018.

Because consensus nodes have computing capabilities, network hardware requirements should be checked periodically to ensure optimal performance.

If hosting is not possible, the recommended laaS vendor and minimum configuration are as follows:

OVH EG-32

CPU: Intel Xeon E3-1270v6-4c/8t-3.8GHz

RAM: 32GB DDR4 ECC 2133 MHz

SSD: softraid-1 2x450GB NVMe

NET: 1 Gbps

Packet Workhorse

CPU: Intel ®Xeon E3-1240v5-4c/8t-3.5GHz

RAM: 32 GB DDR3 ECC 1333 MHz

SSD: softraid-1 2x120GB Enterprise SSD

NET: 2 x 1 Gbps Bonded

Liquidweb

CPU: Intel Xeon E3-1275v6-4c/8t-3.8GHz

RAM: 32 GB DDR4 ECC

SSD: softraid-1 2x240GB Enterprise SSD

NET: 1 Gbps

Password

Use password management tool to store each password needed during this construction process (Lastpass and Dashlane are recommended), and all services should enable two-factor authentication and entity key (if any).

All passwords should be set to a strong password (using this lastpass scheme).

SSH authentication key

Only the use of public key access SSH authentication can play the role of key protection, so we require the use of physical OpenPGP smart card for SSH authentication. We recommend using Ubikey 4. For more information about the performance of Yubikey PGP, please refer to the official documentation.

Complete Windows Guide

Complete Linux/MacOS Guide

Change the default administrator PIN code 12345678 and PIN code 123456 to a memorable security password.

After you add your private key to the smart card-activated authentication agent service, gpg-agent will bind to gpg2-- this is our recommended step.

Specific configuration of service provider

Open the vendor firewall (not in the OS setting) and set it to block all except ports 22, 20333, and 10333. If other services share the same account, be sure to place the nodes in the anti-association group.

Linux server configuration

Each node needs to be configured with 2 administrators in the two jurisdictions. Each administrator should have an exclusive user who can log in to the system and a third-party consensus user that SSH does not have access to, and the private key of the consensus node can only be accessed through that third-party consensus user (note that the Ubuntu version used in this guide is 16.04LTS).

Set a strong root password when logging in for the first time, but use the root password only if you lose your sudo password (or perform an undo operation)

When su (sudo su on Ubuntu) passwd is still using su

Ubuntu update package:

Apt-get updateapt-get upgrade

CentOS:

Yum update

Add an administrator user (repeated actions by two administrators):

Useradd-m nodemkdir / home/node/.sshchmod 700 / home/node/.ssh

This guide is based on bash, so set bash to a preferred value in the shell drop-down list:

Usermod-s / bin/bash node

Copy the Yubikey public key from the administrator's ssh-add-L to authorized_keys:

Vim / home/node/.ssh/authorized_keys

License Settings:

Chmod 400 / home/node/.ssh/authorized_keyschown node:node / home/node-R

Set the administrator password (this is the sudo password):

Passwd node

Then we can set up the administrator's sudo, add the% sudo group, and use # when commenting on any other group that is not root:

Visudo

The file format is as follows:

# This file MUST be edited with the 'visudo' command as root.## Please consider adding local content in / etc/sudoers.d/ instead of# directly modifying this file.## See the man page for details on how to write a sudoers file.#Defaults env_resetDefaults mail_badpassDefaults secure_path= "/ usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" # Host alias specification# User alias specification# Cmnd Alias specification# User privilege specificationroot ALL= (ALL:ALL) ALL# Members of the admin group may gain root privileges#%admin ALL= (ALL) ALL# Allow members of group sudo to execute any command%sudo ALL= (ALL:ALL) ALL# See sudoers (5) for more information on "# include" directives:#includedir / etc/sudoers.d

Add the administrator to the sudo group:

Usermod-aG sudo node

You need to log in and log out of the administrator account to complete the update:

Su-l nodeexit

Back to su, it is now set to log in to SSH only through the public key and administrator:

Vim / etc/ssh/sshd_config

The following lines should be added or modified to the following form, adding all administrators in the AllowUsers and separated by the spacebar:

X11Forwarding noPermitRootLogin noPasswordAuthentication noAllowUsers nodeLoginGraceTime 30AllowTcpForwarding noTCPKeepAlive noAllowAgentForwarding noDebianBanner noBanner / etc/ssh/sshd-banner

Legal statement for setting up SSH:

Echo "WARNING: Unauthorized access to this system is forbidden and will beprosecuted by law. By accessing this system, you agree that your actionsmay be monitored if unauthorized usage is suspected." > > / etc/ssh/sshd-banner

Add user run consensus node:

Useradd consensusmkdir / home/consensuschown consensus:consensus / home/consensus-R

Create a very strong password for the consensus node that should be securely shared by two administrators:

Passwd consensus

The final step in su is to restart SSH after logging in as an administrator.

Firewall when sudo systemctl restart sshd.service logs in as an administrator

First install the firewall in Debian (Ubuntu) and lock the node:

Sudo apt-get install ufw

CentOS:

Sudo yum install epel-releasesudo yum install ufw

Set IPV6 to yes in vim / etc/default/ufw and set to allow port only:

Sudo ufw default deny incomingsudo ufw allow sshsudo ufw allow 10333sudo ufw allow 20333sudo ufw disablesudo ufw enable automatic security updates

Ubuntu:

Sudo apt-get install unattended-upgradessudo vim / etc/apt/apt.conf.d/10periodic

Update to match:

APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1"

Disable unsafe automatic updates:

Sudo vim / etc/apt/apt.conf.d/50unattended-upgrades

Update, uncommented lines have and only the following lines:

Unattended-Upgrade::Allowed-Origins {"${distro_id}: ${distro_codename}"; "${distro_id}: ${distro_codename}-security"; "${distro_id} ESM:$ {distro_codename}";}

CentOS:

Install yum-cron and allow security package updates:

Sudo yum- y install yum-cronsudo systemctl start yum-cronsudo systemctl enable yum-cronsudo nano / etc/yum/yum-cron.conf

Change the settings to match:

Update_cmd = securityapply_updates = yesemit_via = emailemail_to = YOUR_EMAIL_TO_RECEIVE_UPDATE_NOTIFICATIONS

When there is an update, use the email_to function to insert the email address where you want to send a reminder.

Fail2ban

Next, let's install fail2ban, a tool that suppresses suspicious IP on firewalls. The default value of the tool can be used, so a simple installation is sufficient. Ubuntu:

Sudo apt-get install fail2ban

CentOS:

Sudo yum install fail2ban two-factor authentication

Combining 2FA with SSH's entity OpenPGP key is a strong authentication setting. Install in Ubuntu using the following code:

Sudo apt-get install libpam-google-authenticator

CentOS (enable epel-- as above):

Sudo yum install google-authenticator

After installation, follow each step when running the instructions as an administrator (answer y/y/y/n/y), first do this as an administrator (two), and then update PAM to get 2FA:

Google-authenticator

Next, edit the SSH configuration to obtain permission for 2FA settings:

Sudo vim / etc/pam.d/sshd

Add the following line at the end of the file:

Auth required pam_google_authenticator.so

Put the comment line for the password prompt in Ubuntu:

# Standard Un*x authentication.#@include common-auth

CentOS:

# auth substack password-auth

Editing sshd_config files requires 2FA authentication:

Sudo vim / etc/ssh/sshd_config

Edit the file to allow authentication and add the authentication method line:

ChallengeResponseAuthentication yesAuthenticationMethods publickey,password publickey,keyboard-interactive

Restart the SSHD service:

Sudo systemctl restart sshd.service

Open another window while keeping the current SSH window running, and log in to verify that the settings are working correctly.

Monitor

Maintaining monitoring of consensus nodes is critical to identify problems and improve NEO projects. We will only install and access the network database through the SSH tunnel (keep the firewall blocking setting).

Install pre-order static version (to reduce attack surface and eliminate unnecessary dependencies):

Bash Logwatch configures logwatch on Ubuntu to send a summary of the node's daily activities (usually no activity): sudo apt-get install logwatch CentOS:sudo yum install logwatch now adds cron job to send the summary to your mailbox: sudo vim / etc/cron.daily/00logwatch changes the default execution command to: / usr/sbin/logwatch-- output mail-- mailto YOUR@EMAIL.HERE-- detail high blacklist USB and firewall storage we will store the unwanted The module is put on the blacklist to reduce the attack surface. WiFi and Bluetooth are usually cut off from the server kernel (need to be verified! So only the USB storage needs to be turned off Sudo vi / etc/modprobe.d/blacklist.conf is added as the following line: blacklist usb-storageblacklist firewire-core install and run consensus Node installation on Unbuntu prerequisites: sudo apt-get install unzip sqlite3 libsqlite3-dev libleveldb-dev libunwind-dev CentOS:sudo yum install unzip leveldb-devel libunwind-devel logs in as consensus Node user: su consensuscd ~ download, verify checksum, Extract the latest version of neo-cli client: wget https://github.com/neo-project/neo-cli/releases/download/v2.5.2/neo-cli-YOURDISTRIBUTION.zipsha256sum neo-cli-YOURDISTRIBUTION.zipunzip neo-cli-YOURDISTRIBUTION.zipcd neo-clichmod Ubunx neo-cli replication node running settings (test network or main network): mv protocol.json protocol.json.backcp protocol.testnet.json protocol.json if this is the first operation You need to create a wallet for the consensus node:. / neo-clineo > create wallet / home/consensus/cn_wallet.jsonpassword: SOMESTRONGPASSWORDpassword: SOMESTRONGPASSWORD copy the start_consensus script: cd ~ wget https://raw.githubusercontent.com/CityOfZion/standards/master/assets/nodes/start_consensus.shchmod Ubunx start_consensus.sh edit directory to match your wallet file address and password. You are now ready to run on Ubuntu under the control of supervisord: sudo apt-get install supervisor CentOS:sudo yum install supervisor configures supervisord to execute start_consensus (editing files if needed): wget https://raw.githubusercontent.com/CityOfZion/standards/master/assets/nodes/supervisord.confchmod 700 supervisord.confcp supervisord.conf / etc/supervisord.confsudo supervisord adds the initial script to run automatically when the system restarts. This is the whole step, now log out of the server and log back in only if you have to deploy updates or detect malicious behavior. Other security recommendations GRUB password disk encryption enable TCP SYN Cookie function (net.ipv4.tcp_syncookies = 1-> / etc/sysctl.conf) this is the answer to the question translated from CoZ: https://github.com/CityOfZion/standards/blob/master/nodes.md about the recommended steps for building a NEO consensus node. I hope the above content can be of some help to you, if you still have a lot of doubts to solve. You can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.