๐Ÿ‘ฉโ€๐Ÿ’ป
Galactica Network Dev Documentation
  • ๐Ÿ“™Galactica Network Overview
  • ๐ŸงฌGalactica Concepts
    • โ›“๏ธBlockchain Base
    • ๐ŸงพZero-Knowledge KYC
      • Holder Commitment
      • DApp specific HumanID
      • Verification SBT
      • KYC Guardian
      • Galactica Investigation Module
      • Privacy Precautions
    • ๐ŸŒŸReputation
    • ๐Ÿ›‚Contingent Transactions
  • โš™๏ธGalactica Components
    • ๐ŸฆŠGalactica Snap for Metamask
    • ๐ŸŒณRoot Contracts
  • ๐Ÿ—๏ธBuilding a Galactica DApp
    • Example DApps
      • Compliant ERC20
      • Cypherbook
      • Compliant DEX
      • Sybil resistant airdrop
    • Front End
      • Guided Example
        • Connect to Galactica Snap
        • Prepare ZK proof generation
        • Generate and submit ZK proof
        • Handle Verification SBTs
      • Galactica Snap JSON-RPC API
    • Smart Contracts
    • Custom Zero Knowledge Disclosures
  • ๐Ÿ“Guardian Guide
    • Setup to become a Guardian
    • Create and issue ZK certificate
      • ๐ŸชชzkKYC (GIP-1)
      • Arbitrary ZK data certificate (GIP-2)
      • X/Twitter ZK certificate (GIP-3)
      • REY X/Twitter Score ZK certificate (GIP-4)
      • Decentralised Exchange (DEX) ZK certificate (GIP-5)
      • Centralised Exchange (CEX) ZK certificate (GIP-6)
      • Telegram ZK certificate (GIP-7)
  • โ›๏ธValidator Guide
    • ๐Ÿ”งInstallation
    • ๐Ÿ”—Become a Validator
    • ๐Ÿš€galacticad CLI Usage Cheat Sheet
    • ๐Ÿ”’Security Best Practices
  • ๐ŸงชTestNet: Reticulum
    • Release Notes
  • ๐ŸงชDevNet: Andromeda
    • Release Notes
  • ๐Ÿ“ŽChangelog
Powered by GitBook
On this page
  • User Management
  • Create a New User
  • Grant Sudo Privileges
  • Server Timezone
  • Firewall
  • Installing UFW
  • Configuring UFW
  • Whitelisting Necessary Ports
  • Enabling UFW
  • Checking UFW Status
  • Conclusion

Was this helpful?

  1. Validator Guide

Security Best Practices

This guide provides security guidelines and best practices for validators on the Galactica Network. Validators play a crucial role in securing the network and maintaining its integrity. It is essential to follow these guidelines to ensure the security of your node and the network.

To ensure the security of your node on the Galactica Network, configuring a firewall is a critical step. Here's a guide on setting up ufw (Uncomplicated Firewall) to protect your server while allowing necessary traffic for your node operations.

User Management

When creating a server most times it is created as user root. This user has heightened privileges on the server. When operating a node, it is recommended to not run your node as the root user.

Create a New User

To create a new user, you can use the following command:

sudo adduser galactica

Here, galactica is the username of the new user. You will be prompted to set a password and additional information for the new user.

Grant Sudo Privileges

To grant sudo privileges to the new user, you can add the user to the sudo group:

sudo usermod -aG sudo galactica

This command adds the user galactica to the sudo group, allowing them to run commands with elevated privileges.

Now when logging into the server, the non root user can be used.

Server Timezone

๐Ÿšจ DANGER: Having a different timezone configuration may cause a LastResultsHash mismatch error. This will take down your node!

It's crucial to set your server's timezone to UTC to avoid potential issues with your node. You can check and set the timezone using the following commands:

# Check the current timezone
timedatectl

# Set the timezone to UTC
sudo timedatectl set-timezone UTC

Firewall

When setting up a firewall there are a few ports that can be open when operating a Galactica Network node. There is the CometBFT json-RPC, prometheus, p2p, Cosmos SDK GRPC and REST, and the EVM RPC and WS ports.

Installing UFW

First, you need to install ufw on your server. If it's not already installed, you can do so by running:

sudo apt-get update
sudo apt-get install ufw

Configuring UFW

Before enabling ufw, it's crucial to allow SSH connections to prevent locking yourself out of the server. By default, SSH uses port 22:

sudo ufw allow ssh

or

sudo ufw allow 22

Reset UFW to disallow all incoming connections and allow outgoing:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Whitelisting Necessary Ports

For your node to function correctly on the Galactica Network, certain ports need to be open. These ports may vary depending on the specific requirements of the Galactica Network and the roles your node serves (e.g., validator, full node). Here's how to allow traffic on these ports:

# Replace [port_number] with the actual port number you need to open
sudo ufw allow [port_number]

Allow Port 26656 (cometbft p2p port). If the node has a modified p2p port then that port must be used here.

sudo ufw allow 26656/tcp

IF the node which is being setup would like to expose CometBFTs jsonRPC and Cosmos SDK GRPC and REST then follow this step. (Optional)

  • RPC: 26657/tcp

  • LCD (Light Client Daemon api): 1317/tcp

  • GRPC: 9090/tcp

  • EVM RPC: 8545/tcp

  • EVM WS: 8546/tcp

  • Prometheus: 26660/tcp

Enabling UFW

After configuring the rules, enable ufw to start protecting your server:

sudo ufw enable

You'll be asked to confirm the operation. Type y and press Enter to proceed.

Checking UFW Status

To verify your ufw configuration and ensure the correct rules are in place, use:

sudo ufw status

This command will list all active rules, allowing you to review which ports are open and which traffic is allowed.

Conclusion

By following these security guidelines, you can ensure the safety and integrity of your node on the Galactica Network. It's essential to take proactive measures to protect your server and the network from potential threats and vulnerabilities. If you have any questions or need further assistance, feel free to reach out to the Galactica Network community for support.

Previousgalacticad CLI Usage Cheat SheetNextTestNet: Reticulum

Last updated 1 year ago

Was this helpful?

Nodes should not have all ports open to the public, this is a simple way to get DDOS'd. Secondly it is recommended by to never expose ports that are not required to operate a node.

Most, if not all servers come equipped with . ufw will be used in this tutorial.

โ›๏ธ
๐Ÿ”’
CometBFT
ufw