Node Hardening

From PlebNet Wiki
Revision as of 20:57, 2 October 2021 by FuzzyBot (talk | contribs) (Updating to match new version of source page)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Other languages:
English

Your Lightning node stores your private keys and it's generally a good idea to keep it as secure as possible. This is quite a big topic and the following list of suggested actions are by no means exhaustive.

Local Hardening

General common sense

In most cases, your Lightning node will be running on some sort of Linux distribution and SSH is most likely the way you access that node. Make sure that your user password is strong and unique.

DO NOT SHARE SCREENSHOTS WITH QR CODES OR YOUR TOR ADDRESS.

DO NOT SHARE YOUR WALLET ACCESS QR CODES.

DO NOT SHARE ANYTHING WHICH CAN ALLOW ACCESS TO YOUR NODE (QR CODE/TOR ADDRESS)


SSH Keys

It's advised to disable password authentication over SSH and use ssh keys instead. To do so, first generate your SSH keys on your host (not the lightning node itself). 

ssh-keygen -t ed25519 -C "$(whoami)@$(uname -n)-$(date -I)"

Next, copy the public key to the Lightning node system. 

ssh-copy-id user@<ip of lightning node host>

Then check that you can access your node over SSH using those keys. When authenticating over SSH the system should use your keys and not prompt you for the user password.

Once that's done, disable password login over SSH entirely by editing 

/etc/ssh/sshd_config

and setting 

PasswordAuthentication no

and restart the ssh service.


Reduce local attack surface

Umbrel allows you to install a bunch of different apps, some not being Bitcoin or Lighting related at all such as Nextcloud. By doing so, especially if you're exposing the application publically, you increase the attack surface of your node system. If someone were to exploit a vulnerability in a exposed service or application, the attacker would potentially be able to retrieve your keys stored on the system and steal your funds. In other words, a Lighting node should be dedicated to that task and not be used for a plethora of other things.

Network hardening

Most, if not all of us, are running our nodes on our home network, along side a large number of other devices, including smartphones, computers and IoT devices. You might want to consider isolating your node from the rest of the clients on the network and control access through firewall rules.

If your network equipment supports VLAN you have a great tool to tighten up your network security. You could create a separate VLAN for your lighting node and only allow it to communicate out on the required ports. If you do the same with your various other network client types you end up with a nicely segmented network where you can easily control who can access what and how.

Retrieved from "http://plebnet.wiki/index.php?title=Node_Hardening/en&oldid=1478"