Price: $0
Pools:
Epoch:
Slot: 140,644,653
Date: 21-11-2024

Articles

Is your server secure or did you leave your front door open?

On behalf of SPOCRA 1476 relay nodes were tested on September 5th, of 2020 on a simple basic security principle.

VRITS 06-09-2020, 16:38 · 5 mins read
Share this

Reasons for testing

The number of stakepools is increasing every day and besides the official documentation there are many places which describe how to build a stakepool or even provide scripts and tools to do so. An increasing number of stakepools is being build by people with no or limited knowledge of Linux system administration. The task of a stakepool operator however doesn't end after building a stakepool. He or she should implement best practices to secure the nodes. When a node gets hacked, the general public might think that Cardano gets hacked and this could harm all the marketing effort that is being put into Cardano and thus harm the Cardano-ecosystem.

Remote administration of Linux servers is carried out in general by using SSH terminal client sessions. Hackers know this all to well and will therefore try to login using SSH or try to attack the SSH daemon running on the server. Now some operators might say they have build in extra security measures to prevent their system from being hacked. I ask these operators to just have a short look at the security issues that have been found in openSSH in the past.

Way of testing

A simple virtual Linux machine was deployed at a cloud service provider, provisioned with a public ip address and the package jq was installed on the server. The ip addresses and DNS records were extracted and deduped from the publicly available list of relays that is maintained by Cardano. With the use of a batch file and the package nc, each ip address and DNS record was tested to see if it was possible to connect to the SSH port. Each server that allowed the connection was put in a text file. No attempts to login or attack the SSH port were made.

 

Results

The public relay list held a total of 1624 relay nodes, after deduplication 1476 ip addresses and DNS records remained. 405 relay nodes allowed the connection to their SSH port which is equivalent to nearly 27.5% of all relay nodes.

 

Best practices

  • keep your server up to date and install at least the security updates on a regular basis
  • if you don't use SSH to administer your server because you use a physical console then shut down the SSH daemon
  • only allow trusted ip addresses to connect to the SSH port of your node on the edge device (your router at home or the office or the firewall of your cloud service provider)
  • only allow trusted ip addresses to connect to the SSH port of your node using the firewall on the Linux server
  • disable SSH login for the root account
  • disable username / password SSH logins
  • limit the amount of concurrent SSH logins to the number that you actually use + 1
  • use a RSA public / private key pair with a 4096-bit key size to login
  • password protect the RSA private key with a strong password
  • remove all Cardano related keys from your relay node. a relay node doesn't need any of those

Optional best practices

  • use a stepping stone or jump server to administer your nodes
  • use a separate VPN server to access your stepping stone or jump server 

Follow up

We will repeat this port test from time to time and sincerely hope that next time all relay nodes have their SSH ports closed for untrusted public ip addresses.

Author VRITS
VRITS is a stakepool build to last, designed, operated and maintained by an IT professional with over 30 years of IT experience with a high interest in Cardano. VRITS writes articles and tries to create awareness of things that should be taken care of.
Support the Author 🙏
Author´s StakePool
Pool ID
Read next

Security of Cardano

The security of public networks is not governed by a centralized authority. It is something that evolves organically with the growth of projects. Let's have a look at how secure Cardano is....

Cardanians.io 25-01-2021, 14:46 · 18 min read

WingRiders is provably secure DEX on Cardano

The WingRiders source code has been audited by the renowned security company CERTIK. Let's explain why a security audit is important, how it is performed, and most importantly, what was the result....
17-03-2022, 12:38 · 8 min read · Cardanians.io

Who will maintain Cardano

Cardano is a public global protocol with open source code. Millions of people can use it every day. The question is who should be responsible for maintaining the global protocol that is supposed to be...
12-02-2021, 14:13 · 14 min read · Cardanians.io

Blockchain needs a viable incentive mechanism

The economical and incentivize model is a very underestimate topic when talking about cryptocurrencies. It influences how many people will be willing to operate a node or how secure the protocol will ...
08-12-2019, 23:00 · 19 min read · Cardanians.io

Cardano has undergone an independent source code audit

Cardano has undergone an independent source code audit by the respected company Root9B. The IOHK team wanted to reassure users that Cardano is a secure protocol. Let's take a look at the published aud...
29-05-2020, 13:28 · 6 min read · Cardanians.io