laconicd-deprecated/docs/testnet/security.md

Validator Security

Checklist

Conduct Survey on General Controls of Hosting Data Centre

Perform a survey on the hosting data centre, and compare your result with the best practice suggested below

For example, your hosting data centre should have following features

Controls Category	Description of Best Practice
Data Center	Redundant Power
Data Center	Redundant Cooling
Data Center	Redundant Networking
Data Center	Physical Cage/Gated Access
Data Center	Remote Alerting Security Camera

Current Status of Node Setup

Perform a survey on your current status of node setup, and compare your result with the best practice suggested below

Controls Category	Description of Best Practice
General System Security	Operating system appropriately patched. Kernel is updated to latest stable version. The node should be operated in x86_64 environment
General System Security	Auto-updates for operation system is configured. Toolkit for automatic upgrades exists (e.g. auter, yum-cron, dnf-automatic, unattended-upgrades)
General System Security	Security framework enabled and enforcing. SELinux / AppArmor / Tomoyo / Grsecurity Enabled.
General System Security	No insecure and unnecessary services Installed. (e.g. telnet, rsh, inetd, etc ...)
General System Security	GRUB boot loader password is configured. Grub2 configured with password
General System Security	Only root permissions on core system files
File Directory Security	Secure the directory ~/.ethermintd to be accessible by owner only
Binary Configuration	Recommend the following settings in config.toml for both performance and security - For sentry nodes: max_num_inbound_peers = 500, max_num_outbound_peers = 50, flush_throttle_timeout = "300ms" - For validator node: max_num_inbound_peers = 100, max_num_outbound_peers = 10, flush_throttle_timeout = "100ms"
Account Security & Remote Access	Following Password policies are enforced: No Blank Passwords; Weak Passwords Not Allowed
Account Security & Remote Access	Following SSH configurations are enabled: PermitRootLogin: no; PasswordAuthentication no; ChallengeResponseAuthentication no; UsePAM yes; AllowUsers Necessary user only; AllowGroups Necessary group only.
Networking	Network throughput test using speedtest. Recommend to have at least 5 Mbps upload, 5 Mbps download)
Networking	Host-based (e.g. iptables) or cloud-based (e.g. AWS Security Group) firewall is enabled to protect all the involved nodes. Remote management ports (e.g. SSH - TCP 22) should only be exposed to selected IP instead of the internet. No overly permissive rules (e.g. wide range of allowed ports 1-65535) should be set. For internal communication channels between nodes, they should be set with specific source and destination addresses. For internet reachable nodes, set TCP 26656 to be the only incoming port, if possible.
Networking	Intrusion Detection / Prevention System (e.g. Fail2Ban, Snort, OSSEC) is installed and enforcing
Networking	Setup sentry node architecture to protect validator node, and set firewall rules to restrict direct internet access to it.
Networking	The Remote Procedure Call (RPC) provides sensitive operations and information that is not supposed to be exposed to the Internet. By default, RPC is on and allow connection from 127.0.0.1 only. Please be extremely careful if you need to allow RPC from other IP addresses.
Redundancy	Hot standby node is setup with the same configuration as main node
Redundancy	System monitoring and alerting is setup to alert owners on anomalies
Key Management	Setup Tendermint KMS with HSM or equivalent online service, which should replace the static key file.
DDOS	Setup validator in accordance with sentry architecture. Kindly refer to the setup instruction and detailed description.