We recommend the following steps to configure your server with sensible system and security defaults. We currently provide a guide for Ubuntu users, but the principles extend to whichever OS you intend to use.
Update Ubuntu with the latest software and security updates.
$ sudo apt -y update && sudo apt -y upgrade
$ sudo apt dist-upgrade && sudo apt autoremove
$ sudo reboot
Consensus Layer clients are very sensitive to time, and require accurate timekeeping for proper synchronization with the blockchain network.
For Ubuntu machines, we recommend using the NTP service, which helps ensure system time is synchronized.
## Check time and date
## Setup NTP service
$ sudo timedatectl set-ntp on
The HTTP connection between your beacon node and execution node needs to be authenticated using a JWT token.
Use a utility like OpenSSL to create the token via command:
openssl rand -hex 32 | tr -d "\n" > "./jwtsecret/jwt.hex"
Other ways to generate the
- Use the auto-generated random one below (regenerate), and place it into the
- Use an execution or consensus client to generate the
./jwtsecret/jwt.hexfile (check their documentation).
- Use an online generator like this. Copy and paste this value into a
For options (1) and (3), create the file by running:
echo 'PLACE_HERE_YOUR_TOKEN' > ./jwtsecret/jwt.hex
Set up Networking
Ubuntu ships with a ufw firewall that helps prevent unwanted connections to your server. As your server is connected to the public internet, this is very important as there will be adversaries that will port scan for vulnerabilities.
Ubuntu should have
ufw installed, otherwise you can install it.
$ sudo apt install ufw
Apply UFW Defaults
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing
(Optional) Deny or Allow SSH
If you are hosting your node locally (i.e. homestaker), we highly recommend you deny the SSH Port 22, which is a very common attack vector.
If you are hosting your node in the cloud, you will need to allow the SSH Port 22 to connect to your machine. Make sure to allow
## Deny SSH
$ sudo ufw deny 22/tcp
## Allow SSH
$ sudo ufw allow 22/tcp
Allow Execution Client Port 30303
The Execution Client uses port 30303 to communicate with Execution Layer network peers.
$ sudo ufw allow 30303
Allow Consensus Client port 9000
Most Consensus Layer Clients use port
9000 to communicate with the Consensus Layer network peers, with the exception of Prysm, which uses ports
## Lighthouse, Nimbus, Teku, Lodestar
$ sudo ufw allow 9000
$ sudo ufw allow 13000/tcp
$ sudo ufw allow 12000/udp
$ sudo ufw enable
$ sudo ufw status numbered
Increasing Swap Space
Gnosis clients (e.g. Erigon) tend to use large amounts of memory when syncing or running, which may lead to out-of-memory errors. Advanced users can consider allocating swap space, which allows the system to store in-memory data on their hard drives.