Skip to content

🧱 Basic VPS Hardening for Node Operators ​

Before running any validator node, it's important to ensure your VPS is secure and properly configured. This guide provides a checklist and links to individual setup steps that will help you build a strong foundation.

1. Use SSH Key Authentication ​

Disable password-based logins and use SSH keys instead. This is one of the most effective ways to protect against brute-force attacks.

πŸ‘‰ Set up SSH Key Access

2. Disable Root Login (Safely) ​

Once a non-root user with SSH key access is working, disable direct root login to reduce exposure.

πŸ‘‰ Disable Root Login

3. Enable UFW Firewall ​

Limit access to only the ports your validator needs (e.g., P2P, RPC). Deny all other incoming traffic by default.

πŸ‘‰ Set up UFW Firewall

4. Protect SSH with Fail2Ban ​

Fail2Ban bans IPs that show signs of brute-force behavior, adding another layer of protection to your login system.

πŸ‘‰ Set up Fail2Ban

5. Remove Unused Packages ​

Less software = less surface area for attack. Remove services and tools you don’t use:

Example (only run if you're not using them):

bash
# Optional: remove Apache web server
sudo apt remove --purge apache2 -y

# Optional: remove Snap daemon (not commonly used on servers)
sudo apt remove --purge snapd -y

# Clean up unused dependencies
sudo apt autoremove -y

6. Check Running Services ​

List and stop any unnecessary services:

bash
sudo systemctl list-units --type=service

To disable a service:

bash
sudo systemctl disable service-name
sudo systemctl stop service-name

7. (Optional) Disable IPv6 ​

If you’re not using IPv6, disable it to reduce exposure:

bash
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1

To make it persistent, add to /etc/sysctl.conf:

ini
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

8. Sync Server Time (NTP) ​

Ensure your server time is accurate for logs and node operations:

bash
sudo timedatectl set-ntp true
timedatectl status

9. Enable Automatic Security Updates ​

(Optional, but helpful)

bash
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades

Built by Node Runners.
For the Networks We Believe In.
🌐 astrostake.xyz