Securing your node with SSH and iptables
This tutorial is fully covered in the video shown above.
Now it's time to secure your node by hardening SSH access and setting up the firewall. This tutorial covers what is considered minimum level of security for your node, or any production server in general (subjective opinion).
SSH key-pair based login
First off you should be using a SSH key-pair when you log into your node. Go ahead and make a folder called ssh and a file named authorized_keys
:
Now generate a public key, with for example PuTTY Key generator, and paste it into the authorized_keys
file.
For added security you can limit the SSH access by IP as well, preferably you'll be managing your node from only one IP address. Instead of pasting your key into the file do the following:
from="YOUR_IP" SSH-KEY
Once you have your keys setup continue with editing the SSH config file.
Recommended changes are:
AddressFamily
set toinet
, this will prevent your node from listening on IPv6.PermitRootLogin
set tono
. Self-explanatory, denies root login.PasswordAuthentication
set tono
, once you have setup key-based login you won't be login in with username/password.
Setting up the firewall with iptables
All docker swarm communications occur over TLS using a self-signed TLS certificate. Due to the way iptables and docker work you can't use the INPUT
chain to block access to apps running in a docker container as it's not a local destination but a FORWARD
one. By default when you map a port into a docker container it opens up to any
host. To restrict access we need to add our rules in the DOCKER-USER
chain. More info can be found here.
Open TCP port 2376
only to 52.48.130.243
& 18.203.51.247
for secure Docker engine communication. This port is required for Docker Machine to work. Docker Machine is used to orchestrate Docker hosts, as this is a local service we use the INPUT
chain.
In addition, the following ports must be opened for factomd
to function which we add to the DOCKER-USER
chain:
2222
to52.48.130.243
&18.203.51.247
, which is the SSH port used by thessh
container8088
to52.48.130.243
&18.203.51.247
, thefactomd
API port8090
to52.48.130.243
&18.203.51.247
, thefactomd
Control panel8108
to the world, thefactomd
main-net port
In the above video, we changed the INPUT policy to drop and included a management IP, this would create the basic ruleset:
Last, but not least don't forget to save the rules.
Last updated