In this guide I will walk you through some very easy steps to improve the security of your virtual private server at Vultr. This could also be applied to other services, but Vultr is our example in this guide.
The reason you want to do a few extra steps is to reduce the chances your node will get knocked offline — if it’s offline for an hour you will lose your place in the queue for SmartNode rewards and when you come back online you will be back at the bottom of the list. This costs you SMART so it’s worth taking a few moments to improve the security.
If you still need to create a Vultr SmartCash SmartNode you can use our guide on how to quickly set up a SmartNode with Vultr. You will need a Vultr account, my referral link is this: https://www.vultr.com/?ref=7295941. Do that first and then come back to this guide.
Here’s what this guide will show how to do:
- Add a Firewall to Vultr to block all traffic (increases reliability and security)
- Add 2 factor authentication to require a code to login to Vultr (increases security)
The result of this hardening is that your server will only receive traffic on the SmartNodes network port of 9678– this will reduce the CPU load and the risk associated that somehow there will be a successful attack of your server. This also means the ONLY way you will be able to login to your server is through the Vultr console because we are entirely disabling SSH logins. Going forward, if you need to do anything, you will need to use the “View Console” which connects to your server directly without using SSH and to do that you need to log into Vultr with your 2fa code, which is pretty good security.
So let’s get started!
Go to the firewall section of Vultr: https://my.vultr.com/firewall/ and click “add firewall group”.
Name it “SmartNodes Only” so you remember what the group is. The click “add firewall group”.
Next we are at the screen where we can add the rules. We are going to add one rule to allow SmartNode traffic and another to block (drop) everything else.
Now in the “inbound IPv4 rules” section type 9678 for the Port field. Leave everything else the same and then click the + sign at the right to add firewall rule. That adds the SmartNode ports.
Once you click the + it will look as below. That first line is not active yet, which is fine, we don’t need ssh -because we can connect through the “view console” in vultr. The last line shows it drops all other TCP traffic. Great! You’re done with this page.
We don’t need to do IPv6 rules because we didn’t set up our VPS with that enabled.
Now go to your Server Settings page for your node (or nodes) by going to here: https://my.vultr.com/. On the row with your server click on the dots to the right of “Running” to bring up a menu then click on “Server Details”.
On this page click on Settings, then click on Firewall. You will see a dropdown. Select your Firewall group that you created call “SmartNodes Only”. Click Update Firewall Group and you’re done. The Vultr firewall is configured and it will protect your server from traffic and only allow in the SmartNodes traffic on port 9678.
Next, let’s make sure our Vultr account is more secure. Right now it has just a password but it’s better to require a token each time we log in. You can use Google Authenticator for that on your phone.
Go to this page, https://my.vultr.com/settings/#settingsauthentication, and click “Manage Two Factor Auth”.
Because this can vary by device I’ll leave it to you to configure this according to your setup. You can install “Google Authenticator” on your phone and use it to scan the QR code on the website. Then your phone app will generate codes each time you login. When you set it up make sure you keep a copy printed of the special keys used so you can remove it if you ever lose your phone. Vultr provides additional docs on how to enable 2fa here: https://www.vultr.com/docs/using-two-factor-authentication-to-login-to-vultr-control-panel
Now you’re configured with an extra firewall and 2fa! That’s a great start. Make sure your desktop wallet.dat file is encrypted and securely backed up, and NEVER GIVE YOUR PRIVATE KEY TO ANYONE, INCLUDING MODERATORS OR SUPPORT! Treat it like cash.