Validator Security Practices

Greetings from the Celo Foundation Community Security Team! :cowboy_hat_face:

We’re back with some best practices for the validators. Halborn completed a review on our ecosystem specifically focused on validator exposure. Translating these reviews into applicable knowledge for the community is a goal of the Security Team. Below are some of the best practices recommended from both Halborn and Security Team.

Docker Best Practices:

  • Docker images should adhere to the least privilege model.
  • Restricted Linux capabilities.
  • Dockerfile images should be developed to ensure the use of non-root users.
  • Docker daemon socket should not be exposed.
  • Inter-Container Communications should be disabled (Limit, Segregate, Isolate).
  • Deploy “Read-Only” filesystems whenever possible.
  • Privilege escalation within containers should be restricted.
  • Use Dockers’ Content Trust option to sign and verify images.
  • Regular scans for image vulnerabilities.
  • Keep your Docker and host OS up-to-date!

Linux Best Practices:

  • Avoid public SSH access to the validator.
  • If possible, avoid public access to the proxy and the attestation service as well.
  • Run nodes with the lowest level of privileges.
  • Never use the root-user.
  • Alway apply security patches for our operating systems.
  • Password-based SSH authentication is not a best practice. Use key-based access. Securely store and back-up your keys.
  • Disable non-essential SSH subsystems (banner, motd, scp, X11 forwarding).
  • Harden your SSH configuration.
  • Clear previous commands.
  • Back-up your storage.

Monitoring your Validator Best Practices:

  • Be sure you’re following the pre-built tools for monitoring your Celo Validator.
  • Host Machine Telemetry collection: tracks node details, current running version, block height, CPU, memory usage, and block propagation time.

Network Best Practices:

  • To avoid DDoS, only allow your proxy to be exposed to the public internet.
  • Assign a static external IP to the proxy.
  • Assign static internal IPs to both the validator node and local account node.
  • Validate listening network ports occasionally to gain essential knowledge about your network.

Firewall Best Practices:

  • Enable the standard UFW to control network access to the node.
  • Do not expose other ports to the public internet.
  • Use Fail2Ban to monitor log files and failed login attempts.