๐Security Best Practices
This guide provides security guidelines and best practices for validators on the Galactica Network. Validators play a crucial role in securing the network and maintaining its integrity. It is essential to follow these guidelines to ensure the security of your node and the network.
To ensure the security of your node on the Galactica Network, configuring a firewall is a critical step. Here's a guide on setting up ufw (Uncomplicated Firewall) to protect your server while allowing necessary traffic for your node operations.
User Management
When creating a server most times it is created as user root. This user has heightened privileges on the server. When operating a node, it is recommended to not run your node as the root user.
Create a New User
To create a new user, you can use the following command:
Here, galactica is the username of the new user. You will be prompted to set a password and additional information for the new user.
Grant Sudo Privileges
To grant sudo privileges to the new user, you can add the user to the sudo group:
This command adds the user galactica to the sudo group, allowing them to run commands with elevated privileges.
Now when logging into the server, the non root user can be used.
Server Timezone
๐จ DANGER: Having a different timezone configuration may cause a LastResultsHash mismatch error. This will take down your node!
It's crucial to set your server's timezone to UTC to avoid potential issues with your node. You can check and set the timezone using the following commands:
Firewall
Nodes should not have all ports open to the public, this is a simple way to get DDOS'd. Secondly it is recommended by CometBFT to never expose ports that are not required to operate a node.
When setting up a firewall there are a few ports that can be open when operating a Galactica Network node. There is the CometBFT json-RPC, prometheus, p2p, Cosmos SDK GRPC and REST, and the EVM RPC and WS ports.
Installing UFW
Most, if not all servers come equipped with ufw. ufw will be used in this tutorial.
First, you need to install ufw on your server. If it's not already installed, you can do so by running:
Configuring UFW
Before enabling ufw, it's crucial to allow SSH connections to prevent locking yourself out of the server. By default, SSH uses port 22:
or
Reset UFW to disallow all incoming connections and allow outgoing:
Whitelisting Necessary Ports
For your node to function correctly on the Galactica Network, certain ports need to be open. These ports may vary depending on the specific requirements of the Galactica Network and the roles your node serves (e.g., validator, full node). Here's how to allow traffic on these ports:
Allow Port 26656 (cometbft p2p port). If the node has a modified p2p port then that port must be used here.
IF the node which is being setup would like to expose CometBFTs jsonRPC and Cosmos SDK GRPC and REST then follow this step. (Optional)
RPC: 26657/tcp
LCD (Light Client Daemon api): 1317/tcp
GRPC: 9090/tcp
EVM RPC: 8545/tcp
EVM WS: 8546/tcp
Prometheus: 26660/tcp
Enabling UFW
After configuring the rules, enable ufw to start protecting your server:
You'll be asked to confirm the operation. Type y and press Enter to proceed.
Checking UFW Status
To verify your ufw configuration and ensure the correct rules are in place, use:
This command will list all active rules, allowing you to review which ports are open and which traffic is allowed.
Conclusion
By following these security guidelines, you can ensure the safety and integrity of your node on the Galactica Network. It's essential to take proactive measures to protect your server and the network from potential threats and vulnerabilities. If you have any questions or need further assistance, feel free to reach out to the Galactica Network community for support.
Last updated