Configure Server
We recommend the following steps to configure your server with sensible system and security defaults. We currently provide a guide for Ubuntu users, but the principles extend to whichever OS you intend to use.
Configure Server
Update Server
Update Ubuntu with the latest software and security updates.
$ sudo apt -y update && sudo apt -y upgrade
$ sudo apt dist-upgrade && sudo apt autoremove
$ sudo reboot
Configure Timekeeping
Consensus Layer clients are very sensitive to time, and require accurate timekeeping for proper synchronization with the blockchain network.
For Ubuntu machines, we recommend using the NTP service, which helps ensure system time is synchronized.
## Check time and date
$ timedatectl
## Setup NTP service
$ sudo timedatectl set-ntp on
Some users recommend using Chrony as a method of configuring NTP
Create JWT
The HTTP connection between your beacon node and execution node needs to be authenticated using a JWT token.
Use a utility like OpenSSL to create the token via command:
openssl rand -hex 32 | tr -d "\n" > "./jwtsecret/jwt.hex"
Other ways to generate the jwt.hex file
- Use an execution or consensus client to generate the
./jwtsecret/jwt.hexfile (check their documentation). - Use an online generator like this. Copy and paste this value into a
./jwtsecret/jwt.hexfile.
For options (1) and (3), create the file by running:
echo 'PLACE_HERE_YOUR_TOKEN' > ./jwtsecret/jwt.hex
Set up Networking
Ubuntu ships with a ufw firewall that helps prevent unwanted connections to your server. As your server is connected to the public internet, this is very important as there will be adversaries that will port scan for vulnerabilities.
Install UFW
Ubuntu should have ufw installed, otherwise you can install it.
$ sudo apt install ufw
Apply UFW Defaults
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing
(Optional) Deny or Allow SSH
If you are hosting your node locally (i.e. homestaker), we highly recommend you deny the SSH Port 22, which is a very common attack vector.
If you are hosting your node in the cloud, you will need to allow the SSH Port 22 to connect to your machine. Make sure to allow
## Deny SSH
$ sudo ufw deny 22/tcp
## Allow SSH
$ sudo ufw allow 22/tcp
Allow Execution Client Port 30303
The Execution Client uses port 30303 to communicate with Execution Layer network peers.
$ sudo ufw allow 30303
Allow Consensus Client port 9000
Most Consensus Layer Clients use port 9000 to communicate with the Consensus Layer network peers, with the exception of Prysm, which uses ports 13000/TCP and 12000/UDP instead.
## Lighthouse, Nimbus, Teku, Lodestar
$ sudo ufw allow 9000
## Prysm
$ sudo ufw allow 13000/tcp
$ sudo ufw allow 12000/udp
Enable Firewall
$ sudo ufw enable
$ sudo ufw status numbered
Advanced
Increasing Swap Space
Gnosis clients (e.g. Erigon) tend to use large amounts of memory when syncing or running, which may lead to out-of-memory errors. Advanced users can consider allocating swap space, which allows the system to store in-memory data on their hard drives.