Build a ZenCash Secure Node – Part 1 – Prepare the VPS
Do Not Use This Guide!
THIS GUIDE IS NO LONGER ACCURATE!
Instead, please use the ZenCash guide at zencash.com
I am keeping this post up for historical information and to help people who want to continue to use this guide.
NOTE! If you are setting up a new ZenCash Secure Node – look at this guide first: https://blockoperations.com/how-to-build-and-operate-a-zencash-secure-node/
Everything in this post is still valid, and if you follow along on this post it explains more of what is going on and is a more basic tutorial. Part 1 and Part 2 are still completely valid and are duplicated in the newest post…just with less pictures and explanations.
This is part 1 of a 3 part tutorial for setting up a Zen Secure Node. Part 2 is available at Zen Secure Node Part 2
Part 3 will be written after the Zen software is updated to include Secure Node functionality. Here is part 3: https://blockoperations.com/how-to-build-and-operate-a-zencash-secure-node/
I’ve been spending a bit of time on working with the ZenCash project, making videos on the ZenCash Youtube Channel and posts at the ZenCash blog. A lot of people on the ZenCash Slack have been asking about building a ZenCash secure node. Here is the first part of how to set one up on a Virtual Private Server (VPS) that you can rent without having to own your own hardware.
The first part involves the basics – setting up the VPS for usability and security. This setup is for one Secure Node per VPS.
There are other ways of doing this including multiple nodes on larger systems using virtualization, or (forthcoming) setting one up on a Raspberry Pi. This is not the guide for those other ways. This is a guide for a way that will definitely work.
Rent a VPS
There are hundreds of VPS providers out there. Use the one you want. I am using Linode as an example because they have datacenters all over the world, I like their control panel, and it is very easy to upgrade your existing VPS to one with more processor and memory automatically. People tell me that OVH is a better deal than Linode right now, so make your own choice.
Read the Linode Getting Started guide to get started. It has many more pictures and details than I provide below. There is also extensive documentation at Linode and on Digital Ocean for how to do these kinds of things.
Add a Linode 4096 to your account.
Rename it to something useful.
Deploy an Image.
I prefer to use Ubuntu 16.04 LTS. Set a root password, and remember it. Even better, write it down somewhere.
Boot the VPS by pressing the big Boot button on the Dashboard.
Figure out the IP address of your VPS. On this Linode it is 22.214.171.124
Get ready to connect to your VPS with Secure SHell (SSH). If you don’t know how to look at Connecting to your Linode with SSH
I like to edit text files with vim, and there is a quick guide on using vim here. Here is a graphical guide to vim you can print out. For a more basic text editor, I recommend using nano. Vim is cool once you learn how to use it because there are lots of shortcuts and you can keep your hands in normal touch typing position to do most things.
I am going to assume you are connecting from a Mac or Linux PC or using the Bash shell from Windows PC in the command examples to follow. If you connect with Putty or SecureCRT on Windows it will be almost, but not quite exactly, the same.
On your own system first! Update your own hosts file with the name and IP address of your VPS
sudo vim /etc/hosts
At the bottom of /etc/hosts type in basic information about your VPS so you only have to remember a name (go to bottom with GG, typo o to enter, type the info, hit Esc key, type :wq. If you mess up, hit Esc key, type :q! to make no changes)
IP address then hostname. For this example, I added this to the bottom of the /etc/hosts file.
Then make sure you have hostname resolution and basic network connectivity to the VPS. Ping it to make sure it is there:
You should something similar to this response. Type Ctrl-C to stop the pinging:
Now connect to your VPS. You’ll need to type the password you created earlier
ssh [email protected]
It looks like this – I typed the password wrong the first two times, of course:
Now we go throught and set things up for usability and security. Update the system:
apt-get update && apt-get -y upgrade
That will take a little while. You should run this command every week or two to keep your VPS fresh and updated. But not right before you are going to be away from your system for a little while. Sometimes upgrades break things and you have to Google for how to fix them. Sometimes stuff happens. In this upgrade, the system asked me a question – I accepted the default answer by hitting Tab then Enter:
Next set the hostname to whatever your system’s hostname should be:
hostnamectl set-hostname znode
Then tell the system how to find its ownself. Edit the file with nano, which is pretty easy to use:
Insert a line at line 3 or so with IP address and hostnames. If you know what your Fully Qualified Domain Name (FQDN) will be, enter that information now also. If you don’t, we’ll get back to that later. This is the line to insert:
126.96.36.199 znode znode.blockoperations.io
Set the timezone. This is optional, but handy for reviewing logs. You can look up your timezone by typing this and using the space bar to go to the next page:
Command to set the timezone:
timedatectl set-timezone 'America/New_York'
Add a user account and give the user full administrative privileges. Type in a password, preferably a different on than the root password:
adduser blockops && adduser blockops sudo
Now exit the VPS. This is hopefully the last time you will connect to the system as the root user:
Login as the user. From your own system, connect using your username and VPS hostname, then immediately disconnect. Mine looks like this:
Now copy your authentication key-pair to the node (you might not have one, that’s ok, we’ll fix it if you don’t). This part is optional but very useful. You can then exit and login again, and you won’t have to type your password!
ssh-copy-id [email protected] exit ssh [email protected]
If that does not work, you have to create an authentication key pair. Only do this if it does not work! On Linux, Windows Bash, and mac:
ssh-keygen -b 4096
On windows using and SSH application, look at the Linode guide. Then try it again.
Now that we are on the VPS, let’s make it more secure. First disable root login by editing a configuration file. Don’t skip these configurations, unless you want to get hacked:
sudo vim /etc/ssh/sshd_config
Scroll down using the j key. Change line (should be 28) to read (move to right with l, delete with x, press a to add, type the words, hit Esc when done typing, then :wq to save the file)
The file will look like this after the change.
Now restart the sshd service. Linux has command tab completion, which means if you don’t want to type an entire word out, you can hit Tab and if there is only one choice all the characters will be typed in automatically for you. Try it after typing sshd below.
sudo systemctl restart sshd.service
Now that you’re used to editing configuration files I’m going to provide fewer screenshots and more instructions. Let’s install some basics to make things work better.
sudo apt update sudo apt -y install git screen vim nmap ncdu busybox inxi links unzip python
Now make vim prettier by editing ~/.vimrc. From your home directory (type cd to get there quick), type
Put these words on their own line, save and exit.
Edit the bash login file:
Add these two lines at the bottom
force_color_prompt=yes LS_COLORS=$LS_COLORS:'di=0;36:' ; export LS_COLORS
Exit and log back in. If you are using a terminal, up arrow recalls your last command(s).
Add a Firewall
Basic install is complete, let’s add some security. First we add a firewall and open some ports. Enter the following commands EXACTLY (in this order) to set up your firewall:
Check if firewall is already running. It should not be
sudo ufw status
Please note: Make sure you enter the code in this order! If you do not, the program will not work! (If need be you can disable your firewall by entering: sudo ufw disable)
sudo ufw default allow outgoing sudo ufw default deny incoming sudo ufw allow ssh/tcp sudo ufw limit ssh/tcp sudo ufw allow http/tcp sudo ufw allow https/tcp sudo ufw allow 9033/tcp sudo ufw logging on sudo ufw enable
Say yes at the end when it asks if you want to enable it. Then check your firewall’s status by entering the following command:
sudo ufw status
You will see a message saying that your ufw status is active. It will activate upon reboot as well, which is what you want.
sudo apt -y install mailutils postfix
Use the Postfix Mail defaults of internet site and hostname when it asks you.
change aliases so you will get an email if there is a problem (hopefully). This is the easy way to do email, that sometimes get blocked by big company mail servers. There is a more complicated and reliable way to do email, but it is not necessary to set that up now. Also, Postfix is what I use because I know how to set it up, I know how it works, and it’s very reliable. There are probably other mail servers that are easier to use. But you still need to set your aliases. Edit your alias file
sudo vim /etc/aliases
add to the bottom of the file. Please use your own email address:
Enter this command to make the alias effective
Let’s make sure it starts on boot and is running now.
sudo systemctl enable postfix sudo systemctl restart postfix
Then test the email system. The simple test looks like this. To send the message you have to type Ctrl-d after the “test email 1 line” in the picture
It worked for me. I got the test email on my email application. If it does not work you can check the log and see what is wrong. That’s the nice thing about linux, there are logs for everything. Usually they are in /var/log, and in this case /var/log/mail.log. If you want to see what is says type:
tail -n 100 /var/log/mail.log
Update – it looks like Linode may have changed the logging properties of postfix. If you want more detail on postfix configuration, look here: https://help.ubuntu.com/lts/serverguide/postfix.html
On to the next task.
Basic Intrusion Prevention with Fail2Ban
This will stop various people on the Internet from running non-stop dictionary attacks against your system. Well, it will slow them down. After 10 failed login attempts from a single IP address, it blocks that IP address from trying to login again for 10 minutes. Better than no protection, anyway.
sudo apt -y install fail2ban sudo systemctl enable fail2ban sudo systemctl start fail2ban
If you are interested in seeing what fail2ban is actually doing, watch your fail2ban log for a little while. That’s the great thing about servers, they write things down when things are going well, and especially when things are going badly, In Linux, all those logs are readable. Here is one way to look at the fail2ban log. Type Ctrl-c to exit the tail application.
sudo tail -f /var/log/fail2ban.log
Here is output showing a banned IP address, unbanned after 10 minutes:
Setup Swap Space for More Memory (slow, but sometimes useful)
I like to use inexpensive VPS’s. Every once in a while, for compiling something, or for creating ZenCash Shielded transactions, a server needs a little more memory. As long as it does not need it very often, it can use hard drive space as temporary memory. First, see how much hard drive space you have:
then how much memory you have
Now we are going to take some of that SSD space and make it into swap space. Enter these commands. Type “sudo ls” first then enter your password so the system knows you are ready to go.
sudo fallocate -l 4G /swapfile sudo chmod 600 /swapfile sudo mkswap /swapfile sudo swapon /swapfile
check it out – more memory in swap!
Now make the swap work better. Add a line to this file
sudo vim /etc/sysctl.conf
add to bottom:
Then make it so the swap gets mounted when the server reboots. It would be unfortunate if it did not. Edit the fstab file
sudo vim /etc/fstab
add to bottom:
/swapfile none swap sw 0 0
Now we have a nice roomy VPS. This won’t solve all your problems. If you start getting slow performance, you may need to upgrade your VPS to a faster version that costs more money each month. Linode provides nice graphs of utilization to help you with that. You can also run top or htop (sudo apt install htop) to see how the VPS is doing. This is what top looks like – there is a lot of useful information there:
Install a Rootkit Detector and Write Upgrade Script
Wouldn’t it be great, if you were hacked, that your VPS had a chance at figuring that out then telling you? That’s what rkhunter does. It’s a basic application to let you know. That way if you are hacked you can wipe your server image clean and restore from backup. For important servers, pay the $2/month at Linode for the backup option.
Install rkhunter and do an initial file scan.
sudo apt -y install rkhunter sudo rkhunter --propupd
If you update your VPS you will want to run the rkhunter scan right after so it sees the update files. You could write yourself a handy little upgrade script and run it so you don’t forget these things. Let’s do that right now
put this in the file
#!/bin/bash sudo apt update sudo apt -y dist-upgrade sudo apt -y autoremove sudo rkhunter --propupd
After saving the file, change its permissions so it can be run
chmod +x upgrade_script.sh
Now run it with admin permissions
There you go! Now you don’t need to remember all the commands to run to upgrade your system. Just login and run the shell script.
Whew! That was a lot of work. Anyway, now you have a secure VPS all ready to go. Next time you do this, it will go faster.
Part 2 will be about installing the ZenCash specific applications.
Part 3 will be written after the ZenCash Node Tracker software is in beta, and after the Zen node software is updated to use SSL certificates to encrypt the node to node communications.
More Information on Block Operations
Block Operations YouTube Channel
May 14, 2017 @ 11:29 am
Thank you so much, that was a great tutorial !
I am using Vultr, and I wanted to let other know that they block port 25 by default. So sending mail is not working. I just contacted them to see if they can lift the block.
Other than that, looking forward for the next tutorial.
May 15, 2017 @ 1:31 pm
Just one quick question: is that small linode VPS able to handle the locally stored blockchain over time ?
From the whitepaper I got there is a 2MB block every 2.5min, which translates to an added 33,75 GB (2MB*(60/2.5)*24*30) of local storage each month or 405GB per year.
I’m I mistaken on how to calculate this ?
May 22, 2017 @ 8:53 pm
The blocks won’t be full for a while. You should have time. That’s one of the reasons I like Linode – you can upgrade in place to a bigger Linode.
May 17, 2017 @ 3:42 am
Good article , esp on the system security, thanks. Looking forward to part 2.
May 19, 2017 @ 12:04 am
Thank you very much I have been looking for this information for a while, cant wait to finish things up in part two.
May 22, 2017 @ 2:27 pm
Thanks a lot for part 1, great work! When will part 2 be published?
The question of Kahana82 is mine as well. What traffic and storage is required long term for running a ZEN full node?
May 22, 2017 @ 8:54 pm
I intend to publish part 2 later this week, after the launch. The node software is getting published last minute. This is not a bleeding edge tutorial, but I will provide a complete guide as soon as I can. Glad you all like the first part!
Also, the blocks won’t be full for a while. You should have time. That’s one of the reasons I like Linode – you can upgrade in place to a bigger Linode.
June 6, 2017 @ 5:30 am
Hi! When we can see part 2?
June 7, 2017 @ 9:35 pm
posted it earlier this week.
Build a ZenCash Secure Node Part 2 - Build the Zen Node - Block Operations
June 6, 2017 @ 11:26 am
[…] you have a secure Linux server prepared, you can set up a Zen Node. See Build a ZenCash Secure Node – Part 1 – Prepare the VPS if you still need to prepare your […]
June 6, 2017 @ 12:38 pm
Hi please, do you have make the part 2 ?
June 7, 2017 @ 9:35 pm
yes, I posted it.
June 8, 2017 @ 1:07 pm
Is it possible to setuo multiple nodes from 1 ip?
June 8, 2017 @ 11:50 am
Is it possible to run multiple nodes from 1ip? Please let me know!
June 14, 2017 @ 1:44 am
Would be cool if you’re able to post a basic virtualbox VMDK, that could be configured with the final details to make a node.
That way people could set up a node on their PC in a few minutes.
July 10, 2017 @ 9:11 am
I’ve been going through this great tutorial but ran into a problem when it came to setting up the email, I left the default parameters as you suggested but I think the second parameter was wrong, it was znode followed by the nodes ip address with the first 3 numbers missing.
I assume it probably wanted the full FQDN domain name in there (which I don’t have at this point)!
August 28, 2017 @ 12:11 pm
Hi! Thanks for the nice tutorial!
All seems to be clear, except the necessity of the TCP ports 80 and 443 being open to the public. It looks like node communication will run over port 9033?
It is an important aspect for me, as I operate some highly reliable VMware servers around the country, where I could put zencash node VMs, but public IP is a valuable asset, and ports 80 and 443 are already in use at most sites/most IPs.
August 28, 2017 @ 12:19 pm
ports 80 and 443 are used by letsencrypt. You can use some other method to get a secure certificate, then you won’t need to use those ports.
August 30, 2017 @ 1:14 am
great, thank you! letsencrypt also has DNS verification, that’ll just need some script trickery to automate.
September 12, 2017 @ 4:17 pm
October 13, 2017 @ 4:31 pm
Rolf- wow great tutorial quick and clean!
ZenCash: A private cryptocurrency with Masternodes – Invest it in
October 22, 2017 @ 12:06 am
[…] Secure Node Overview Explanation and Video Secure Node Design Discussion Example of Building Most of Secure Node […]
October 22, 2017 @ 10:31 pm
Thanks for the write up.
Quick question, how can I run the VPS for Linux if I’m on Windows 7?
Would I have to install Linux in order to use the VPS?
How to Build and Operate a ZenCash Secure Node – Complete Guide – Block Operations
November 2, 2017 @ 8:27 pm
[…] Build a ZenCash Secure Node – Part 1 – Prepare the VPS […]
November 20, 2017 @ 6:41 am
Glad you enjoyed the post, Jay!
Wie man eine ZenCash Secure Node erstellt und bedient – vollständiger Leitfaden! – ZenCash Blog
November 29, 2017 @ 12:10 pm
[…] Guide beinhaltet Teil 1, Teil 2, Teil 2.5 und weiter Informationen. Es ist nicht zwingend notwendig die anderen Guides zu […]
November 30, 2017 @ 3:26 pm
thank you very much! I’m putting znode up right now, not sure if 1G RAM anf 0.5G swap will be enough – my VPS provider do not allow to change swap file size. At least I think so, because last command fails:
swapon failed: Operation not permitted
November 30, 2017 @ 3:41 pm
Hm I cant get the swap thing to work.
chmod: cannot access ‘/swapfile’: No such file or directory
pleaaaase help me. Great tutorial this far….
ZenCash セキュアノード構築（２）：Zen ノード構築 – ZenCash Blog
January 6, 2018 @ 7:00 am
[…] 安全な Linux サーバーが準備できたところで、早速 Zen ノードの構築に移っていきましょう。サーバー準備が済んでいない場合は、 ZenCash セキュアノード構築 パート1：VPS の準備 を参照してください。 […]
ZenCash セキュアノード構築（１）：VPSの準備 – ZenCash Blog
January 6, 2018 @ 7:07 am
[…] ＊原文（英語）は Blockop ブログ からご覧いただけます。なお、日本の読者向けに修正を施した箇所があります。 […]
Einen sicheren Netzwerkknoten für ZenCash installieren und bedienen -Vollständiger Leitfaden V02 – ZenCash Blog
January 31, 2018 @ 2:18 pm
[…] haben, lesen Sie sich bitte weitere Hilfen durch, wie zum Beispiel blockoperations’ Anleitung zum Einrichten eines Linux-Servers bei dem Anbieter Linode. Solltet ihr eure “secure node” vom eigenem Server zum VPS Dienstleister […]
Come costruire e rendere operativo un Secure Node ZenCash – ZenCash Blog
February 6, 2018 @ 6:15 pm
[…] il mio tutorial su Come Configurare una VPS se non sai come configurare un utente non-root e una basic […]
February 12, 2018 @ 12:05 pm
Awesome guide man, I really learned so much. I knew Zen was one of the hardest nodes to set up and that’s one of the reasons I wanted to do it. Excited to get on to part 2! Thanks again for taking the time to make this understandable to newcomers.
ZenCash의 보안노드를 구축하는 방법 - ZenCash
April 15, 2018 @ 11:27 am
[…] user를 설정하는 방법과 기본 인증을 구성하는 방법을 모르는 경우 How to Set Up a VPS 에 대한 자습서를 […]
April 18, 2018 @ 4:33 am
you heavily pr-ed #linode #vps is a piece of shit ! it won’t ecxept ANY of my cards, there is no way to pay with any crypto. PIECE OF SHIT!
April 24, 2018 @ 10:49 pm
Thanks for this very comprehensive in-depth tutorial.
The VPS security part 1 should be followed up by many other node setup tuts.
May I suggest that the certificate menu could be made more explicit :
“Use tab, space, enter to navigate the CA Certificates menu:”
replaced by something like, for instance :
“Make sure all have an asterix. Use spacetab to check the required certificates. ca.crt as to be checked”
So it would be even clearer. (I had to double check with help of @psyrax for tls_cert_verified)
如何建立并运行 ZenCash 安全节点 - 官方完整指南 - ZenCash
April 30, 2018 @ 1:34 am
[…] root 用户并配置基本身份验证，请参阅我写的关于如何设立 VPS […]
July 27, 2018 @ 10:47 am
Could be a nIce tutorial if not for this stupid VIM
Why the author decided to screw peoples’s mind with is totally sucking vim, which is only for geeks, and not normal ones who are reading this article – beats me.