Skip to main content

Configure Server

We recommend the following steps to configure your server with sensible system and security defaults. We currently provide a guide for Ubuntu users, but the principles extend to whichever OS you intend to use.

Configure Server

Update Server

Update Ubuntu with the latest software and security updates.

$ sudo apt -y update && sudo apt -y upgrade
$ sudo apt dist-upgrade && sudo apt autoremove
$ sudo reboot

Configure Timekeeping

Consensus Layer clients are very sensitive to time, and require accurate timekeeping for proper synchronization with the blockchain network.

For Ubuntu machines, we recommend using the NTP service, which helps ensure system time is synchronized.

## Check time and date
$ timedatectl

## Setup NTP service
$ sudo timedatectl set-ntp on

Some users recommend using Chrony as a method of configuring NTP

Create JWT

The HTTP connection between your beacon node and execution node needs to be authenticated using a JWT token.

Use a utility like OpenSSL to create the token via command:

openssl rand -hex 32 | tr -d "\n" > "./jwtsecret/jwt.hex"
Other ways to generate the jwt.hex file
  1. Use the auto-generated random one below (regenerate), and place it into the ./jwtsecret/jwt.hex file:
  1. Use an execution or consensus client to generate the ./jwtsecret/jwt.hex file (check their documentation).
  2. Use an online generator like this. Copy and paste this value into a ./jwtsecret/jwt.hex file.

For options (1) and (3), create the file by running:

echo 'PLACE_HERE_YOUR_TOKEN' > ./jwtsecret/jwt.hex

Set up Networking

Ubuntu ships with a ufw firewall that helps prevent unwanted connections to your server. As your server is connected to the public internet, this is very important as there will be adversaries that will port scan for vulnerabilities.

Install UFW

Ubuntu should have ufw installed, otherwise you can install it.

$ sudo apt install ufw

Apply UFW Defaults

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

(Optional) Deny or Allow SSH

If you are hosting your node locally (i.e. homestaker), we highly recommend you deny the SSH Port 22, which is a very common attack vector.

If you are hosting your node in the cloud, you will need to allow the SSH Port 22 to connect to your machine. Make sure to allow

## Deny SSH
$ sudo ufw deny 22/tcp

## Allow SSH
$ sudo ufw allow 22/tcp

Allow Execution Client Port 30303

The Execution Client uses port 30303 to communicate with Execution Layer network peers.

$ sudo ufw allow 30303

Allow Consensus Client port 9000

Most Consensus Layer Clients use port 9000 to communicate with the Consensus Layer network peers, with the exception of Prysm, which uses ports 13000/TCP and 12000/UDP instead.

## Lighthouse, Nimbus, Teku, Lodestar
$ sudo ufw allow 9000

## Prysm
$ sudo ufw allow 13000/tcp
$ sudo ufw allow 12000/udp

Enable Firewall

$ sudo ufw enable
$ sudo ufw status numbered


Increasing Swap Space

Gnosis clients (e.g. Erigon) tend to use large amounts of memory when syncing or running, which may lead to out-of-memory errors. Advanced users can consider allocating swap space, which allows the system to store in-memory data on their hard drives.