🧱 Basic VPS Hardening for Node Operators

Before running any validator node, it's important to ensure your VPS is secure and properly configured. This guide provides a checklist and links to individual setup steps that will help you build a strong foundation.

1. Use SSH Key Authentication

Disable password-based logins and use SSH keys instead. This is one of the most effective ways to protect against brute-force attacks.

👉 Set up SSH Key Access

Once a non-root user with SSH key access is working, disable direct root login to reduce exposure.

👉 Disable Root Login

3. Enable UFW Firewall

Limit access to only the ports your validator needs (e.g., P2P, RPC). Deny all other incoming traffic by default.

👉 Set up UFW Firewall

4. Protect SSH with Fail2Ban

Fail2Ban bans IPs that show signs of brute-force behavior, adding another layer of protection to your login system.

👉 Set up Fail2Ban

5. Remove Unused Packages

Less software = less surface area for attack. Remove services and tools you don’t use:

Example (only run if you're not using them):

bash

# Optional: remove Apache web server
sudo apt remove --purge apache2 -y

# Optional: remove Snap daemon (not commonly used on servers)
sudo apt remove --purge snapd -y

# Clean up unused dependencies
sudo apt autoremove -y

6. Check Running Services

List and stop any unnecessary services:

bash

sudo systemctl list-units --type=service

To disable a service:

bash

sudo systemctl disable service-name
sudo systemctl stop service-name

7. (Optional) Disable IPv6

If you’re not using IPv6, disable it to reduce exposure:

bash

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1

To make it persistent, add to /etc/sysctl.conf:

ini

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

8. Sync Server Time (NTP)

Ensure your server time is accurate for logs and node operations:

bash

sudo timedatectl set-ntp true
timedatectl status

9. Enable Automatic Security Updates

(Optional, but helpful)

bash

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades

Built by Node Runners.
For the Networks We Believe In.
🌐 astrostake.xyz

🧱 Basic VPS Hardening for Node Operators ​

1. Use SSH Key Authentication ​

2. Disable Root Login (Safely) ​

3. Enable UFW Firewall ​

4. Protect SSH with Fail2Ban ​

5. Remove Unused Packages ​

6. Check Running Services ​

7. (Optional) Disable IPv6 ​

8. Sync Server Time (NTP) ​

9. Enable Automatic Security Updates ​

🧱 Basic VPS Hardening for Node Operators

1. Use SSH Key Authentication

2. Disable Root Login (Safely)

3. Enable UFW Firewall

4. Protect SSH with Fail2Ban

5. Remove Unused Packages

6. Check Running Services

7. (Optional) Disable IPv6

8. Sync Server Time (NTP)

9. Enable Automatic Security Updates