Security Best Practices

This guide provides security guidelines and best practices for validators on the Galactica Network. Validators play a crucial role in securing the network and maintaining its integrity. It is essential to follow these guidelines to ensure the security of your node and the network.

To ensure the security of your node on the Galactica Network, configuring a firewall is a critical step. Here's a guide on setting up ufw (Uncomplicated Firewall) to protect your server while allowing necessary traffic for your node operations.

User Management

When creating a server most times it is created as user root. This user has heightened privileges on the server. When operating a node, it is recommended to not run your node as the root user.

Create a New User

To create a new user, you can use the following command:

sudo adduser galactica

Here, galactica is the username of the new user. You will be prompted to set a password and additional information for the new user.

Grant Sudo Privileges

To grant sudo privileges to the new user, you can add the user to the sudo group:

sudo usermod -aG sudo galactica

This command adds the user galactica to the sudo group, allowing them to run commands with elevated privileges.

Now when logging into the server, the non root user can be used.

Server Timezone

🚨 DANGER: Having a different timezone configuration may cause a LastResultsHash mismatch error. This will take down your node!

It's crucial to set your server's timezone to UTC to avoid potential issues with your node. You can check and set the timezone using the following commands:

# Check the current timezone
timedatectl

# Set the timezone to UTC
sudo timedatectl set-timezone UTC

Firewall

When setting up a firewall there are a few ports that can be open when operating a Galactica Network node. There is the CometBFT json-RPC, prometheus, p2p, Cosmos SDK GRPC and REST, and the EVM RPC and WS ports.

Installing UFW

First, you need to install ufw on your server. If it's not already installed, you can do so by running:

sudo apt-get update
sudo apt-get install ufw

Configuring UFW

Before enabling ufw, it's crucial to allow SSH connections to prevent locking yourself out of the server. By default, SSH uses port 22:

sudo ufw allow ssh

or

sudo ufw allow 22

Reset UFW to disallow all incoming connections and allow outgoing:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Whitelisting Necessary Ports

For your node to function correctly on the Galactica Network, certain ports need to be open. These ports may vary depending on the specific requirements of the Galactica Network and the roles your node serves (e.g., validator, full node). Here's how to allow traffic on these ports:

# Replace [port_number] with the actual port number you need to open
sudo ufw allow [port_number]

Allow Port 26656 (cometbft p2p port). If the node has a modified p2p port then that port must be used here.

sudo ufw allow 26656/tcp

IF the node which is being setup would like to expose CometBFTs jsonRPC and Cosmos SDK GRPC and REST then follow this step. (Optional)

• RPC: 26657/tcp

• LCD (Light Client Daemon api): 1317/tcp

• GRPC: 9090/tcp

• EVM RPC: 8545/tcp

• EVM WS: 8546/tcp

• Prometheus: 26660/tcp

Enabling UFW

After configuring the rules, enable ufw to start protecting your server:

sudo ufw enable

You'll be asked to confirm the operation. Type y and press Enter to proceed.

Checking UFW Status

To verify your ufw configuration and ensure the correct rules are in place, use:

sudo ufw status

This command will list all active rules, allowing you to review which ports are open and which traffic is allowed.

Conclusion

By following these security guidelines, you can ensure the safety and integrity of your node on the Galactica Network. It's essential to take proactive measures to protect your server and the network from potential threats and vulnerabilities. If you have any questions or need further assistance, feel free to reach out to the Galactica Network community for support.