How to make zend run on a low numbered network port
I decided to change the port on my Zen node today. I wanted to run some nodes on port 443, 80, 53, and other common ports so they can’t be blocked by firewalls. Those ports are usually open for users. Firewalls are used to seeing encrypted traffic over port 443, so that is a likely port to use. It may make a difference for a person to be able to use their Zen wallet or not in some situations.
Unfortunately, a user level process can’t typically access ports less than 1000, unless given special permission by root. Fortunately, we have root access on our linux server!
This is a side note and a followon to this article on How to Build a Zen Secure Node – Part 2
First, change the port zend binds on by adding this line to the ~/.zen/zen.conf file:
port=443
Then create a zen start script. You can call it zennodestart.sh or anything else you want.
vim ~/zennodestart.sh
Put in the file:
#!/bin/bash sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/zend /usr/bin/zend
Make it executable
chmod +x ~/zennodestart.sh
Give this script permission to be called with the sudo command without password by adding a line to the bottom of the sudoers file. Edit the sudoers file with the command:
sudo visudo
add to the bottom (put your own username instead of blockops!):
blockops ALL=(ALL) NOPASSWD: /home/blockops/zennodestart.sh
Set the Zen node to start on boot by adding a line to the bottom of the user crontab file using the command
crontab -e
Add this to the bottom (put your own username instead of blockops!)
@reboot /usr/bin/sudo /home/blockops/zennodestart.sh
If we are going to run our zend on port 443, we need to stop it when we renew our letsencrypt cert, so create a script for certification renewal, call it renewcertbot.sh
vim ~/renewcertbot.sh
put this in the script:
#!/bin/bash /usr/bin/zen-cli stop /usr/bin/sudo /usr/bin/certbot renew /usr/bin/zend
Make it executable
chmod +x ~/renewcertbot.sh
Give this script permission to be called with the sudo command without password by adding a line to the bottom of the sudoers file. Edit the sudoers file with the command:
sudo visudo
add to the bottom (put your own username instead of blockops!):
blockops ALL=(ALL) NOPASSWD: /home/blockops/renewcertbot.sh
Save the file, then test by typing
sudo ~/renewcertbot.sh
The output should look like this:
Set the script to run every week or so by adding a line to the bottom of the user crontab file using the command
crontab -e
Add this to the bottom (put your own username instead of blockops!)
30 2 * * 1 /usr/bin/sudo /home/rolf/renewcertbot.sh
test that it works
zen-cli stop zend sudo netstat -peanut | grep zend
It should look somewhat like this. Notice the first line showing the zend process is listening on tcp port 443:
Let’s make sure the firewall is still open on port 443
sudo ufw status
The upper part of the output should look like this:
To Action From -- ------ ---- 22/tcp LIMIT Anywhere 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere
At this point you have changed zend to listen on port 443, created a script to automatically start it, made sure the SSL cert gets renewed, and checked that the zend process is listening on port 443, and made sure the firewall is open on that port.
For the heck of it, let’s check one more thing. I did not know this command, so I found it by typing
zen-cli help
The command I wanted was
zen-cli getnetworkinfo
This is the output:
If you run your node for a while, you will see more and more nodes start to connect to it. This should work for any type of cryptocurrency node, by the way. The problem with most cryptocurrencies is the data is not encrypted. It’s worth doing this for Zen because there will be an upgrade soon to encrypt all traffic between wallets and nodes, with Secure Node using TLS certificates.
zenman
August 9, 2017 @ 2:30 am
Hi Blockops, there is an error in the name of the script you created (zennodestart.sh) and permisions in visudo (startfullzennode.sh). They are diferent.
Rolf
August 9, 2017 @ 8:28 am
Thanks! just fixed it in the post.
Marvin Nguyen
August 10, 2017 @ 10:51 am
Hi Rolf, I have been following this project for awhile and I really like the way how the Zen team been developing the system. Is the secure node ready to be set up and functional yet? I’m about to set up 2,3 secure nodes as little side project following your tutorial soon.
Hope you had a great day !
Marvin
Rolf
August 11, 2017 @ 3:36 pm
A bunch of us are running Zen testnet for two different things right now:
Node tracking system
TLS development
Hopefully they will both be done and deployed in the next month. So it’s good to get this experience now to be ready to set everything up in the next month.