Greetings from the Celo Foundation Community Security Team!
We’re back with some best practices for the validators. Halborn completed a review on our ecosystem specifically focused on validator exposure. Translating these reviews into applicable knowledge for the community is a goal of the Security Team. Below are some of the best practices recommended from both Halborn and Security Team.
- Docker images should adhere to the least privilege model.
- Restricted Linux capabilities.
- Dockerfile images should be developed to ensure the use of non-root users.
- Docker daemon socket should not be exposed.
- Inter-Container Communications should be disabled (Limit, Segregate, Isolate).
- Deploy “Read-Only” filesystems whenever possible.
- Privilege escalation within containers should be restricted.
- Use Dockers’ Content Trust option to sign and verify images.
- Regular scans for image vulnerabilities.
- Keep your Docker and host OS up-to-date!
Linux Best Practices:
- Avoid public SSH access to the validator.
- If possible, avoid public access to the proxy and the attestation service as well.
- Run nodes with the lowest level of privileges.
- Never use the root-user.
- Alway apply security patches for our operating systems.
- Password-based SSH authentication is not a best practice. Use key-based access. Securely store and back-up your keys.
- Disable non-essential SSH subsystems (banner, motd, scp, X11 forwarding).
- Harden your SSH configuration.
- Clear previous commands.
- Back-up your storage.
Monitoring your Validator Best Practices:
- Be sure you’re following the pre-built tools for monitoring your Celo Validator.
- Host Machine Telemetry collection: tracks node details, current running version, block height, CPU, memory usage, and block propagation time.
Network Best Practices:
- To avoid DDoS, only allow your proxy to be exposed to the public internet.
- Assign a static external IP to the proxy.
- Assign static internal IPs to both the validator node and local account node.
- Validate listening network ports occasionally to gain essential knowledge about your network.
Firewall Best Practices:
- Enable the standard UFW to control network access to the node.
- Do not expose other ports to the public internet.
- Use Fail2Ban to monitor log files and failed login attempts.