Welcome to the Server Security Guide. This comprehensive guide will help you secure your validator node and maintain high security standards in the Cosmos ecosystem.
- Quick Start
- Initial Server Setup
- SSH Security
- Firewall Configuration
- Fail2ban Setup
- System Hardening
- Monitoring
- Troubleshooting
✅ Create non-root user ✅ Configure SSH key authentication ✅ Disable password authentication ✅ Set up UFW firewall ✅ Install and configure Fail2ban ✅ Regular security updates ✅ Enable system monitoring
# Add new user
sudo adduser val
# Add to sudo group
sudo usermod -aG sudo val
# Switch to new user
su - val# Update package list
sudo apt update
# Upgrade all packages
sudo apt upgrade -y
# Install essential security tools
sudo apt install ufw fail2ban unattended-upgrades# Generate Ed25519 key (more secure than RSA)
ssh-keygen -t ed25519 -C "validator@cosmos"
# Copy key to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub val@SERVER_IPEdit /etc/ssh/sshd_config:
# Disable root login
PermitRootLogin no
# Disable password authentication
PasswordAuthentication no
# Allow only specific user
AllowUsers admin
# Use specific SSH version
Protocol 2
# Set stricter security options
MaxAuthTries 3
PubkeyAuthentication yes
AuthenticationMethods publickey
Restart SSH service:
sudo systemctl restart sshd# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (use your custom port)
sudo ufw allow 22/tcp
# Allow validator ports (example for Cosmos)
sudo ufw allow 26656/tcp # P2P
sudo ufw allow 26657/tcp # RPC (restrict to trusted IPs)
sudo ufw allow 26660/tcp # Prometheus metrics
# Enable firewall
sudo ufw enable# Allow specific IP addresses
sudo ufw allow from TRUSTED_IP to any port 26657
# Rate limiting
sudo ufw limit 22/tcp
# Logging
sudo ufw logging onCreate /etc/fail2ban/jail.local:
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3Create /etc/fail2ban/filter.d/cosmos-dos.conf:
[Definition]
failregex = ^ Blacklisted IP tried to connect: <HOST>
ignoreregex =Restart Fail2ban:
sudo systemctl restart fail2banAdd to /etc/fstab:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
Edit /etc/security/limits.conf:
* soft nofile 65535
* hard nofile 65535
Edit /etc/sysctl.conf:
# Network security
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Prevent IP spoofing
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Load new settings
sudo sysctl -p# Install monitoring tools
sudo apt install htop iftop nethogs tmux
# Set up Prometheus metrics
cosmos_exporter:
enabled: true
listen_addr: "127.0.0.1:26660"# Configure logrotate
sudo nano /etc/logrotate.d/cosmos/var/log/cosmos/*.log {
daily
rotate 14
compress
delaycompress
notifempty
create 0640 cosmos cosmos
sharedscripts
postrotate
systemctl reload cosmos > /dev/null 2>&1 || true
endscript
}- Check SSH key permissions:
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub- Verify SSH configuration:
sudo sshd -T- Check UFW status:
sudo ufw status verbose- Review logs:
sudo tail -f /var/log/ufw.log- Check banned IPs:
sudo fail2ban-client status sshd- Unban IP:
sudo fail2ban-client set sshd unbanip IP_ADDRESS✅ Update systems weekly ✅ Review logs daily ✅ Backup configuration files ✅ Test security measures ✅ Monitor system resources ✅ Rotate access credentials
- Check for unauthorized access
- Review system logs
- Monitor resource usage
- Verify network connections
- Test backup procedures
- Isolate the server
sudo ufw deny all incoming- Preserve evidence
sudo cp /var/log/* /secure-backup/- Contact support
- Security Team: @whtech_support
- Emergency Line: Discord
- Technical Support: @whtech_support
- Community: Telegram
- Documentation: Website
Maintained by Quasar - Securing the Cosmos Ecosystem