NOTE! If you are setting up a new ZenCash Secure Node – look at this guide first: https://blockoperations.com/how-to-build-and-operate-a-zencash-secure-node/
Everything in this post is still valid, and if you follow along on this post it explains more of what is going on and is a more basic tutorial. Part 1 and Part 2 are still completely valid and are duplicated in the newest post…just with less pictures and explanations.
This is part 1 of a 3 part tutorial for setting up a Zen Secure Node. Part 2 is available at Zen Secure Node Part 2
Part 3 will be written after the Zen software is updated to include Secure Node functionality. Here is part 3: https://blockoperations.com/how-to-build-and-operate-a-zencash-secure-node/
I’ve been spending a bit of time on working with the ZenCash project, making videos on the ZenCash Youtube Channel and posts at the ZenCash blog. A lot of people on the ZenCash Slack have been asking about building a ZenCash secure node. Here is the first part of how to set one up on a Virtual Private Server (VPS) that you can rent for as low as $2.50 per month from places like Vultr and Linode.
The first part involves the basics – setting up the VPS for usability and security. This setup is for one Secure Node per VPS.
There are other ways of doing this including multiple nodes on larger systems using virtualization, or (forthcoming) setting one up on a Raspberry Pi. This is not the guide for those other ways. This is a guide for a way that will definitely work.
Rent a VPS
There are hundreds of VPS providers out there. Use the one you want. I am using Linode as an example because they have datacenters all over the world, I like their control panel, and it is very easy to upgrade your existing VPS to one with more processor and memory automatically. Go to Linode and sign up for a VPS.
Read the Linode Getting Started guide to get started. It has many more pictures and details than I provide below. There is also extensive documentation at Linode and on Digital Ocean for how to do these kinds of things.
Rename it to something useful.
Deploy an Image.
I prefer to use Ubuntu 16.04 LTS. Set a root password, and remember it. Even better, write it down somewhere.
Boot the VPS by pressing the big Boot button on the Dashboard.
Figure out the IP address of your VPS. On this Linode it is 220.127.116.11
Get ready to connect to your VPS with Secure SHell (SSH). If you don’t know how to look at Connecting to your Linode with SSH
I like to edit text files with vim, and there is a quick guide on using vim here. Here is a graphical guide to vim you can print out. For a more basic text editor, I recommend using nano. Vim is cool once you learn how to use it because there are lots of shortcuts and you can keep your hands in normal touch typing position to do most things.
I am going to assume you are connecting from a Mac or Linux PC or using the Bash shell from Windows PC in the command examples to follow. If you connect with Putty or SecureCRT on Windows it will be almost, but not quite exactly, the same.
On your own system first! Update your own hosts file with the name and IP address of your VPS
sudo vim /etc/hosts
At the bottom of /etc/hosts type in basic information about your VPS so you only have to remember a name (go to bottom with GG, typo o to enter, type the info, hit Esc key, type :wq. If you mess up, hit Esc key, type :q! to make no changes)
IP address then hostname. For this example, I added this to the bottom of the /etc/hosts file.
Then make sure you have hostname resolution and basic network connectivity to the VPS. Ping it to make sure it is there:
You should something similar to this response. Type Ctrl-C to stop the pinging:
Now connect to your VPS. You’ll need to type the password you created earlier
It looks like this – I typed the password wrong the first two times, of course:
Now we go throught and set things up for usability and security. Update the system:
apt-get update && apt-get -y upgrade
That will take a little while. You should run this command every week or two to keep your VPS fresh and updated. But not right before you are going to be away from your system for a little while. Sometimes upgrades break things and you have to Google for how to fix them. Sometimes stuff happens. In this upgrade, the system asked me a question – I accepted the default answer by hitting Tab then Enter:
Next set the hostname to whatever your system’s hostname should be:
hostnamectl set-hostname znode
Then tell the system how to find its ownself. Edit the file with nano, which is pretty easy to use:
Insert a line at line 3 or so with IP address and hostnames. If you know what your Fully Qualified Domain Name (FQDN) will be, enter that information now also. If you don’t, we’ll get back to that later. This is the line to insert:
18.104.22.168 znode znode.blockoperations.io
Set the timezone. This is optional, but handy for reviewing logs. You can look up your timezone by typing this and using the space bar to go to the next page:
Command to set the timezone:
timedatectl set-timezone 'America/New_York'
Add a user account and give the user full administrative privileges. Type in a password, preferably a different on than the root password:
adduser blockops && adduser blockops sudo
Now exit the VPS. This is hopefully the last time you will connect to the system as the root user:
Login as the user. From your own system, connect using your username and VPS hostname, then immediately disconnect. Mine looks like this:
Now copy your authentication key-pair to the node (you might not have one, that’s ok, we’ll fix it if you don’t). This part is optional but very useful. You can then exit and login again, and you won’t have to type your password!
ssh-copy-id [email protected] exit ssh [email protected]
ssh-keygen -b 4096
On windows using and SSH application, look at the Linode guide. Then try it again.
Now that we are on the VPS, let’s make it more secure. First disable root login by editing a configuration file. Don’t skip these configurations, unless you want to get hacked:
sudo vim /etc/ssh/sshd_config
Scroll down using the j key. Change line (should be 28) to read (move to right with l, delete with x, press a to add, type the words, hit Esc when done typing, then :wq to save the file)
The file will look like this after the change.
Now restart the sshd service. Linux has command tab completion, which means if you don’t want to type an entire word out, you can hit Tab and if there is only one choice all the characters will be typed in automatically for you. Try it after typing sshd below.
sudo systemctl restart sshd.service
Now that you’re used to editing configuration files I’m going to provide fewer screenshots and more instructions. Let’s install some basics to make things work better.
sudo apt update sudo apt -y install git screen vim nmap ncdu busybox inxi links unzip python
Now make vim prettier by editing ~/.vimrc. From your home directory (type cd to get there quick), type
Put these words on their own line, save and exit.
Edit the bash login file:
Add these two lines at the bottom
force_color_prompt=yes LS_COLORS=$LS_COLORS:'di=0;36:' ; export LS_COLORS
Exit and log back in. If you are using a terminal, up arrow recalls your last command(s).
Add a Firewall
Basic install is complete, let’s add some security. First we add a firewall and open some ports. Enter the following commands EXACTLY (in this order) to set up your firewall:
Check if firewall is already running. It should not be
sudo ufw status
Please note: Make sure you enter the code in this order! If you do not, the program will not work! (If need be you can disable your firewall by entering: sudo ufw disable)
sudo ufw default allow outgoing sudo ufw default deny incoming sudo ufw allow ssh/tcp sudo ufw limit ssh/tcp sudo ufw allow http/tcp sudo ufw allow https/tcp sudo ufw allow 9033/tcp sudo ufw logging on sudo ufw enable
Say yes at the end when it asks if you want to enable it. Then check your firewall’s status by entering the following command:
sudo ufw status
You will see a message saying that your ufw status is active. It will activate upon reboot as well, which is what you want.
sudo apt -y install mailutils postfix
Use the Postfix Mail defaults of internet site and hostname when it asks you.
change aliases so you will get an email if there is a problem (hopefully). This is the easy way to do email, that sometimes get blocked by big company mail servers. There is a more complicated and reliable way to do email, but it is not necessary to set that up now. Also, Postfix is what I use because I know how to set it up, I know how it works, and it’s very reliable. There are probably other mail servers that are easier to use. But you still need to set your aliases. Edit your alias file
sudo vim /etc/aliases
add to the bottom of the file. Please use your own email address:
Enter this command to make the alias effective
Let’s make sure it starts on boot and is running now.
sudo systemctl enable postfix sudo systemctl restart postfix
Then test the email system. The simple test looks like this. To send the message you have to type Ctrl-d after the “test email 1 line” in the picture
It worked for me. I got the test email on my email application. If it does not work you can check the log and see what is wrong. That’s the nice thing about linux, there are logs for everything. Usually they are in /var/log, and in this case /var/log/mail.log. If you want to see what is says type:
tail -n 100 /var/log/mail.log
Update – it looks like Linode may have changed the logging properties of postfix. If you want more detail on postfix configuration, look here: https://help.ubuntu.com/lts/serverguide/postfix.html
On to the next task.
Basic Intrusion Prevention with Fail2Ban
This will stop various people on the Internet from running non-stop dictionary attacks against your system. Well, it will slow them down. After 10 failed login attempts from a single IP address, it blocks that IP address from trying to login again for 10 minutes. Better than no protection, anyway.
sudo apt -y install fail2ban sudo systemctl enable fail2ban sudo systemctl start fail2ban
If you are interested in seeing what fail2ban is actually doing, watch your fail2ban log for a little while. That’s the great thing about servers, they write things down when things are going well, and especially when things are going badly, In Linux, all those logs are readable. Here is one way to look at the fail2ban log. Type Ctrl-c to exit the tail application.
sudo tail -f /var/log/fail2ban.log
Here is output showing a banned IP address, unbanned after 10 minutes:
Setup Swap Space for More Memory (slow, but sometimes useful)
I like to use inexpensive VPS’s. Every once in a while, for compiling something, or for creating ZenCash Shielded transactions, a server needs a little more memory. As long as it does not need it very often, it can use hard drive space as temporary memory. First, see how much hard drive space you have:
then how much memory you have
Now we are going to take some of that SSD space and make it into swap space. Enter these commands. Type “sudo ls” first then enter your password so the system knows you are ready to go.
sudo fallocate -l 4G /swapfile sudo chmod 600 /swapfile sudo mkswap /swapfile sudo swapon /swapfile
check it out – more memory in swap!
Now make the swap work better. Add a line to this file
sudo vim /etc/sysctl.conf
add to bottom:
Then make it so the swap gets mounted when the server reboots. It would be unfortunate if it did not. Edit the fstab file
sudo vim /etc/fstab
add to bottom:
/swapfile none swap sw 0 0
Now we have a nice roomy VPS. This won’t solve all your problems. If you start getting slow performance, you may need to upgrade your VPS to a faster version that costs more money each month. Linode provides nice graphs of utilization to help you with that. You can also run top or htop (sudo apt install htop) to see how the VPS is doing. This is what top looks like – there is a lot of useful information there:
Install a Rootkit Detector and Write Upgrade Script
Wouldn’t it be great, if you were hacked, that your VPS had a chance at figuring that out then telling you? That’s what rkhunter does. It’s a basic application to let you know. That way if you are hacked you can wipe your server image clean and restore from backup. For important servers, pay the $2/month at Linode for the backup option.
Install rkhunter and do an initial file scan.
sudo apt -y install rkhunter sudo rkhunter --propupd
If you update your VPS you will want to run the rkhunter scan right after so it sees the update files. You could write yourself a handy little upgrade script and run it so you don’t forget these things. Let’s do that right now
put this in the file
#!/bin/bash sudo apt update sudo apt -y dist-upgrade sudo apt -y autoremove sudo rkhunter --propupd
After saving the file, change its permissions so it can be run
chmod +x upgrade_script.sh
Now run it with admin permissions
There you go! Now you don’t need to remember all the commands to run to upgrade your system. Just login and run the shell script.
Whew! That was a lot of work. Anyway, now you have a secure VPS all ready to go. Next time you do this, it will go faster.
Part 2 will be about installing the ZenCash specific applications.
Part 3 will be written after the ZenCash Node Tracker software is in beta, and after the Zen node software is updated to use SSL certificates to encrypt the node to node communications.