TL;DR

Ensure your system is up-to-date to protect against known vulnerabilities.

sudo apt update && sudo apt upgrade -y  # Update package lists and upgrade all packages

Create a Dedicated User

Run your blockchain node under a non-root user to minimize security risks.

sudo adduser blockchainuser  # Create a new user named 'blockchainuser'
sudo usermod -aG sudo blockchainuser  # Add 'blockchainuser' to the sudo group

Configure Firewall

Use UFW to allow only necessary ports.

sudo ufw allow 8333/tcp  # Allow Bitcoin node port
sudo ufw allow 22/tcp  # Allow SSH
sudo ufw enable  # Enable UFW

Secure SSH

Edit the SSH configuration to enhance security.

sudo nano /etc/ssh/sshd_config

Change or add the following lines:

PermitRootLogin no  # Disable root login
PasswordAuthentication no  # Disable password authentication
AllowUsers blockchainuser  # Allow only 'blockchainuser'

Restart SSH to apply changes:

sudo systemctl restart ssh

Install Fail2Ban

Protect against brute-force attacks.

sudo apt install fail2ban -y  # Install Fail2Ban

Caution: This command will irreversibly delete all files on your system. Double-check the path before executing.

Warning: Dangerous Commands

Be cautious with the following command as it can remove critical files:

WARNING: rm -rf / will DELETE ALL FILES on your system

This command is DESTRUCTIVE and IRREVERSIBLE. Triple-check the path before executing. Always specify the exact directory path.

## Dangerous: Do not run unless you are sure
rm -rf /var/lib/blockchain  # Remove blockchain data directory

Regular Backups

Automate backups to secure your blockchain data.

crontab -e  # Edit crontab for scheduled tasks

Add the following line to schedule daily backups:

0 2 * * * tar -czf /backups/blockchain-$(date +\%F).tar.gz /var/lib/blockchain

Monitor Logs

Regularly check logs for suspicious activity.

sudo tail -f /var/log/auth.log  # Monitor authentication logs

By following these steps, you can significantly enhance the security of your blockchain node on Debian 13.

Initial System Update and Firewall Configuration

Before configuring your blockchain node, ensure your Debian 13 system is up-to-date. This minimizes vulnerabilities by applying the latest security patches.

sudo apt update && sudo apt upgrade -y  # Update package lists and upgrade all packages
sudo apt autoremove -y                  # Remove unnecessary packages

Configure Uncomplicated Firewall (UFW)

UFW is a user-friendly interface for managing iptables firewall rules. By default, UFW is not installed on Debian 13, so you’ll need to install it first.

sudo apt install ufw -y  # Install UFW

Set Default Policies

Set default policies to deny incoming connections and allow outgoing connections. This ensures that only explicitly allowed connections can reach your server.

sudo ufw default deny incoming   # Deny all incoming connections by default
sudo ufw default allow outgoing  # Allow all outgoing connections by default

Allow SSH Connections

To maintain remote access to your server, allow SSH connections. Replace 22 with your custom SSH port if you have changed it.

sudo ufw allow 22/tcp  # Allow incoming SSH connections on port 22

Allow Blockchain Node Traffic

Identify the specific ports your blockchain node requires and allow them. For example, if your node uses port 8333:

sudo ufw allow 8333/tcp  # Allow incoming connections on port 8333 for blockchain node

Enable UFW

Enable UFW to enforce the configured rules.

Warning: Enabling UFW will apply all rules immediately. Ensure SSH access is allowed to prevent being locked out.

sudo ufw enable  # Enable UFW with the configured rules

Verify UFW Status

Check the status of UFW to confirm that your rules are active.

sudo ufw status verbose  # Display the status and rules of UFW

By following these steps, your Debian 13 server is better protected against unauthorized access, providing a secure foundation for your blockchain node.

User and SSH Hardening

Start by creating a dedicated user for running the blockchain node. This minimizes the risk of system-wide compromise if the node is attacked.

## Create a new user 'blockchain' with no home directory
sudo adduser --system --no-create-home --shell /usr/sbin/nologin blockchain

Ensure that this user has the least privileges necessary to run the node.

SSH Configuration

Secure SSH access to your server by modifying the SSH daemon configuration.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Make the following changes:

## Disable root login for SSH
PermitRootLogin no

## Allow only specific users to connect via SSH
AllowUsers blockchain admin

## Disable password authentication for SSH
PasswordAuthentication no

## Enable public key authentication
PubkeyAuthentication yes

## Change the default SSH port to a non-standard port
Port 2222

After making these changes, restart the SSH service:

sudo systemctl restart ssh

SSH Key Authentication

Generate an SSH key pair on your local machine:

ssh-keygen -t ed25519 -C "[email protected]"

Copy the public key to the server:

ssh-copy-id -i ~/.ssh/id_ed25519.pub -p 2222 blockchain@your-server-ip

Firewall Configuration

Use UFW (Uncomplicated Firewall) to allow only necessary traffic.

## Allow SSH on the new port
sudo ufw allow 2222/tcp

## Enable UFW
sudo ufw enable

## Check UFW status
sudo ufw status

Warning

Be cautious when modifying SSH settings. Always ensure you have an active session open or another way to access the server before restarting the SSH service. Misconfiguration can lock you out of your server.

By following these steps, you significantly reduce the risk of unauthorized access to your blockchain node, ensuring a more secure environment.

Node Software Installation and Configuration

To begin, ensure your package list is up-to-date and install necessary dependencies:

sudo apt update && sudo apt upgrade -y  # Update package list and upgrade all packages
sudo apt install -y curl wget gnupg2    # Install essential tools

Next, add the repository for your specific blockchain node software. For example, if you’re installing Bitcoin Core:

curl -sSL https://bitcoin.org/bitcoin.asc | gpg --import  # Import Bitcoin Core GPG key
echo "deb http://ppa.launchpad.net/bitcoin/bitcoin/ubuntu focal main" | sudo tee /etc/apt/sources.list.d/bitcoin.list  # Add Bitcoin repository
sudo apt update  # Update package list with new repository

Installing the Node

Install the node software:

sudo apt install -y bitcoind  # Install Bitcoin daemon

Configuring the Node

Create a configuration file for your node. For Bitcoin Core, this would be:

sudo mkdir -p /etc/bitcoin  # Create configuration directory
sudo nano /etc/bitcoin/bitcoin.conf  # Open configuration file in nano editor

Add the following configuration settings:

## /etc/bitcoin/bitcoin.conf
server=1
daemon=1
rpcuser=bitcoinrpc
rpcpassword=YOUR_SECURE_PASSWORD_HERE  # Replace with a strong, unique password (use: openssl rand -base64 32)

Starting the Node

Enable and start the node service:

sudo systemctl enable bitcoind  # Enable Bitcoin daemon to start on boot
sudo systemctl start bitcoind   # Start Bitcoin daemon

Warning

Be cautious with file permissions:

sudo chmod 600 /etc/bitcoin/bitcoin.conf  # Restrict permissions to owner only

Verifying Installation

Check the node status to ensure it’s running correctly:

sudo systemctl status bitcoind  # Verify Bitcoin daemon status

For additional security, consider setting up a firewall and configuring it to allow only necessary ports. This will be covered in a subsequent section.

System Monitoring and Logging

To ensure the security and performance of your blockchain node on Debian 13, it’s crucial to implement robust system monitoring and logging practices. This section provides guidance on setting up essential tools and configurations.

Install and Configure sysstat for Performance Monitoring

The sysstat package provides a suite of utilities for monitoring system performance. Install it using:

sudo apt update && sudo apt install -y sysstat  # Update package list and install sysstat

Enable sysstat to start collecting data:

sudo systemctl enable sysstat  # Enable sysstat to start at boot
sudo systemctl start sysstat   # Start sysstat service

Configure sysstat to collect data every 10 minutes by editing /etc/default/sysstat:

sudo nano /etc/default/sysstat

Set the INTERVAL to 10:

## /etc/default/sysstat
ENABLED="true"
INTERVAL=10

Set Up rsyslog for Centralized Logging

Ensure rsyslog is installed and configured to handle system logs efficiently:

sudo apt install -y rsyslog  # Install rsyslog

Edit /etc/rsyslog.conf to customize log storage:

sudo nano /etc/rsyslog.conf

Add or modify the following lines to store logs in a specific directory:

## /etc/rsyslog.conf
$FileCreateMode 0640  # Set safe default permissions for log files
$DirCreateMode 0755   # Set safe default permissions for log directories

Restart rsyslog to apply changes:

sudo systemctl restart rsyslog  # Restart rsyslog to apply configuration changes

Monitor Logs with logwatch

Install logwatch to receive daily summaries of log activity:

sudo apt install -y logwatch  # Install logwatch

Configure logwatch to send reports to your email:

sudo nano /etc/cron.daily/00logwatch

Add the following line to specify the recipient email:

## /etc/cron.daily/00logwatch
/usr/sbin/logwatch --output mail --mailto [email protected] --detail high

By implementing these monitoring and logging practices, you can maintain a secure and well-performing blockchain node on Debian 13.

Regular Security Audits and Updates

Regular security audits and updates are crucial for maintaining the integrity and security of your blockchain node on Debian 13. This section outlines the steps to ensure your system is up-to-date and secure.

System Updates

Regularly updating your system is the first line of defense against vulnerabilities. Use the following commands to update your Debian 13 system:

sudo apt update && sudo apt upgrade -y
## 'apt update' refreshes the package index
## 'apt upgrade -y' upgrades all installed packages to their latest versions

Security Audits with Lynis

Lynis is a powerful tool for performing security audits on Unix-based systems. Install and run Lynis as follows:

sudo apt install lynis -y
## Installs Lynis for security auditing

sudo lynis audit system
## Performs a comprehensive security audit on the system

Review the output for any security recommendations and address them accordingly.

Monitoring and Logging

Ensure that your system logs are regularly monitored. Use rsyslog for logging and logwatch for summarizing logs:

sudo apt install rsyslog logwatch -y
## Installs rsyslog for logging and logwatch for log summaries

sudo systemctl enable rsyslog
sudo systemctl start rsyslog
## Enables and starts the rsyslog service

sudo logwatch --output mail --mailto [email protected] --detail high
## Sends a detailed log summary to the specified email

Warning: Dangerous Commands

Be cautious with commands that can alter or delete critical system files. For example, avoid using rm -rf without verifying the target directory:

## Warning: The following command will delete all files in the specified directory
rm -rf /var/log/old_logs/
## Deletes all files in the /var/log/old_logs/ directory

Always double-check paths and ensure backups are in place before executing such commands.

By following these steps, you can maintain a secure and robust environment for your blockchain node on Debian 13. Regular audits and updates are essential to preemptively address potential security threats.

Verification

After implementing security hardening measures on your blockchain node, it’s crucial to verify that the configurations are correctly applied and effective. This section outlines steps to ensure your Debian 13 server is secure.

Check User Permissions

Ensure that only necessary users have access to critical files and directories.

## List permissions for the blockchain data directory
ls -ld /var/lib/blockchain

Verify that the output shows restricted permissions, such as drwx------, indicating only the owner has access.

Validate Firewall Rules

Confirm that your firewall rules are correctly configured to allow only necessary traffic.

## Display active firewall rules
sudo ufw status verbose

Ensure that only essential ports, like 8333 for Bitcoin, are open.

Confirm SSH Configuration

Verify that SSH is configured securely.

## Check SSH configuration for security settings
grep -E 'PermitRootLogin|PasswordAuthentication' /etc/ssh/sshd_config

Ensure PermitRootLogin is set to no and PasswordAuthentication is set to no.

Review Installed Packages

Check for unnecessary packages that could introduce vulnerabilities.

## List installed packages
sudo dpkg --get-selections

Remove any packages not required for your blockchain node operation.

Verify System Logs

Review system logs for any suspicious activity.

## Display recent authentication logs
sudo tail /var/log/auth.log

Look for failed login attempts or unauthorized access.

Test Backup and Restore

Ensure your backup strategy is functional.

## Test restoring a backup
tar -xvf /backups/blockchain-backup.tar.gz -C /var/lib/blockchain

Warning: Ensure the backup directory is secure and not publicly accessible.

Monitor System Performance

Use monitoring tools to ensure the node is running optimally.

## Check system resource usage
top -b -n 1 | head -n 20

## Related Guides

- **Secure Remote Work Infrastructure on Debian**  
  Learn to set up a secure remote work environment on Debian 13 with VPN, SSH hardening, firewall, intrusion detection, and system monitoring.

- **Cloud Access Security Broker (CASB) Implementation on Debian**  
  Learn to implement and secure a Cloud Access Security Broker on Debian 13 with step-by-step installation, configuration, and verification guidance.

- **Edge Computing Security for IoT Gateways on Debian**  
  Learn to secure IoT gateways on Debian 13 using edge computing, with practical steps for setup, network security, encryption, and threat monitoring.

- **Extended Detection and Response (XDR) with Debian**  
  Learn to enhance Debian 13 security with XDR through installation, configuration, integration, and monitoring for optimal protection.

- **Federated Learning Security Infrastructure on Debian**  
  Learn to securely set up and manage federated learning on Debian 13 with installation, encryption, access control, and monitoring best practices.