Protecting a forging node

Overview

We will be setting up a forging node F as well as 2 trusted nodes Nx. F will only ever be connected to Nx, and not accepting connections from any IP address. We will then enforce this unidirectional communication with trusted nodes only by setting up firewalling rules on the forging node.

There is no requirement to have a specific number of trusted nodes however, it is recommended to have no less than 2 for resiliency.
Trusted nodes architecture

trusted nodes architecture

Setup

The trusted nodes should be spread across service providers and geographically to prevent concurrent outages. If all trusted nodes become unreachable at the same time then the forging node cannot operate.

All 3 nodes are installed on Ubuntu 20.04 LTS (Long Term Support), according to:

We will assume our forging node has the following example IPv4 (Internet Protocol Version 4), address: 192.0.0.1. We will additionally assume that our trusted nodes have the following IPv4 addresses:

  • 198.51.100.1

  • 203.0.113.1

All nodes are assumed to listen to port 4000.

Trusted nodes configuration
{
  network: {
    whitelistedPeers: [{
      // this is our forging node
      ip: "192.0.0.1",
      port: 4000
    }],
}
Forging node configuration
{
  // ... (other config options)
  network: {
    // Limit the maximum number of outbound connections to 2, the number of the trusted nodes
    maxOutboundConnections: 2,
    // Disallow inbound connections
    maxInboundConnections: 0,
    // Do not advertise our IPv4
    advertiseAddress: false,
    // Do not connect to any seed peer (the trusted nodes will be used, see below)
    seedPeers: [],
    // Those are our trusted nodes
    fixedPeers: [
      {
        ip: "198.51.100.1",
        port: 4000
      },
      {
        ip: "203.0.113.1",
       port: 4000
      }
    ]
  },
  // ... (other config options)
}

Firewalling

It is recommended to only allow incoming SSH (tcp/22) connections on the forging node. UFW (Uncomplicated Firewall), is included by default on Ubuntu and can be used to that purpose. An alternative example using firehol can also be found below.

UFW example

To activate the UFW firewall with the desired configurations, run the following commands:

UFW example
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable
sudo ufw status verbose

The last commands output should be similar to the following shown below:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere

Refer to https://ubuntu.com/server/docs/security-firewall for more information.

firehol example

sudo apt-get --assume-yes install firehol (1)
sudo vim /etc/firehol/firehol.conf (2)
1 Installs firehol.
2 Opens the firehol config file.

Paste the following contents into the firehol config file:

Sample /etc/firehol/firehol.conf
interface eth0 wan
  policy drop
  server icmp accept
  server ssh accept
  client all accept

Press Esc + : w q + Enter to save the file and quit.

Now run the following commands:

sudo firehol try (1)
sudo sed -i 's/^START_FIREHOL=.*$/START_FIREHOL=yes/' /etc/default/firehol (2)
1 Checks the configuration and then activates the firewall. This commands will ask for confirmation as a fail-safe, and will reverse all changes if none is given after 30 seconds.
2 Sets START_FIREHOL=yes in /etc/default/firehol which will start the firewall automatically at the boot time.

Refer to https://firehol.org/ for more information.