July 9th, 2018

Introduction to setting up a secure Ubuntu server for the first time

This tutorial is meant for beginners who want to set up an Ubuntu server for the first time. It contains the very basic steps of installing Ubuntu on a new server, enhance security and installing the OriginTrail testnet node. The tutorial is based on Ubuntu 16.04. It is recommended to run nodes on a rented VPS. We’ll include a list of trustworthy and stable VPS providers at the end of the tutorial. Most providers offer a single click to install an OS. Things may differ depending on your provider.

Replace everything between < > with your own values.

To install Ubuntu, use the following tutorial which will guide you through the process. https://tutorials.ubuntu.com/tutorial/tutorial-install-ubuntu-server-1604

Make sure to install OpenSSH in step 10. The other the packages are not needed.

We’re using SSH to connect to our server. For Windows use either PowerShell (run as administrator) or PuTTy.
Mac users can use the built-in terminal (spotlight, command + spacebar: search for terminal)

It is most likely that you’ve created a user with your own username during the installation and you’ll never have to login as ‘root’. If this is the case for you, you can skip to step 3.

By default, the root account password is locked in Ubuntu. This means that you cannot login as root directly or use the su command to become the root user. However, since the root account physically exists it is still possible to run programs with root-level privileges. This is where sudo comes in – it allows authorized users to run certain programs as root without having to know the root password. If you are, for some reason, logging in as root, please first follow step 1 and 2.

1. Basic system setup as root

If you are done with the installation, connect to your server through SSH, using the root account provided by your host.

  • ssh root@<ip-address>
  • example: ssh root@13.37.13.37

Change the root password (type it twice):

  • passwd

Exit and login again with your new password:

  • exit
  • ssh @<ip-address>
  • example: ssh root@13.37.13.37

2. Adding a new user

Now, we’re going to create a new regular user as it is not recommended to use the ‘root’ account for your node.

  • adduser <new_user>
  • example: adduser barry

Enter a new and strong password twice and press enter six times to accept the default values.

Exit and connect to your server as the new user, not as root. Use the password you’ve set while creating the new user.

  • exit
  • ssh <new_user>@<ip-address>
  • example: ssh barry@13.37.13.37

Now we’re going to add the new user to the ‘sudo’ group. sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.

  • usermod -a -G sudo <new_user>
  • example: usermod -a -G sudo barry

3. Adding our user to the sudo group

If you’ve followed step 1 and 2, you can now skip to step 4. If you are done with the installation, connect to your server through SSH, using the account you have set up during the installation process.

  • ssh barry@<ip-address>
  • example: ssh barry@13.37.13.37

We need to add the user to the ‘sudo’ group. sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.

  • sudo usermod -a -G sudo <user>
  • example: usermod -a -G sudo barry

4. Updating and installing packages on your server

The following commands require root privileges. To grant root privileges, simply prepend sudo to all the commands you need to run as root. If you ever get a ‘permission denied’ error, you probably forgot to prepend sudo to the command. Example: ‘sudo apt-get install npm’. Whenever you get the question if you want to continue and additional disk space will be used, just press Y on your keyboard.

It is important to update all the existing packages on the server. Ubuntu will ask you to fill in your password once again since you are now logged in as a ‘regular’ user.

To update the packages, use the following commands as the root user (and repeat those commands at least every week to get the latest security updates):

  • sudo apt-get update
  • sudo apt-get dist-upgrade

Reboot your server (just in case the kernel has been updated) and connect again.

  • reboot
  • ssh <user>@<ip-address>
  • example: ssh barry@13.37.13.37

It is important to have an accurate time on your system as this sometimes can cause for conflicts. In most cases it’s best to use pool.ntp.org to find an NTP server. The system will try finding the closest available servers for you.

  • sudo apt-get install ntp
  • sudo apt-get install ntpdate
  • sudo service ntp stop
  • sudo ntpdate pool.ntp.org
  • sudo service ntp start

Now, install additional packages which are needed or useful.

  • sudo apt-get install nano
  • sudo apt-get install npm

5. Secure your SSH connection

We’re going to change the standard SSH port to make your server just a bit more secure. To make it even more secure, you can use the following guide (not recommended): https://www.cyberciti.biz/faq/how-to-disable-ssh-password-login-on-linux/

We’re not recommending this, as you won’t be able to login anymore from any computer or mobile phone.

Open the sshd_config file with nano:

  • sudo nano /etc/ssh/sshd_config

Go to the line with ‘Port 22’ and change it to another port number between 49152 and 65535.

  • example ‘Port 51337’

From now on, we will be referring to this new port as <new_ssh_port>.

Go to line ‘PermitRootLogin yes’ and change it to ‘PermitRootLogin no’.

  • example ‘PermitRootLogin no’

Press control + X, press Y and press enter to save your new configuration.

Restart the SSH service:

  • sudo service ssh restart

Now we’re going to disconnect and reconnect again to test if the new port is working and remember to add your new port as following:

  • exit
  • ssh -p <new_ssh_port> <user>@<ip-address>
  • example: ssh -p 51337 barry@13.37.13.37

6. Enabling Swap space

It is recommended to enable Swap on your server, if not done already. If you have super powerful server, you can probably skip this step if you really want.

First check if swap isn’t already enabled:

  • sudo swapon -s
  • free -m

If swap is not enabled, use the following extensive guide to enable it: https://www.digitalocean.com/community/tutorials/how-to-add-swap-space-on-ubuntu-16-04

7. Installing fail2ban

Fail2ban scans log files and bans IPs that show the malicious signs: too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time.

  • sudo apt-get install fail2ban

Now we’re going to edit the fail2ban config to your modified ssh port:

  • sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  • sudo nano /etc/fail2ban/jail.local

Replace every line that looks like this:

  • port = ssh

With your new ssh port:

  • port = <new_ssh_port>

It should look then similar to this:

  • example:
    #
    # SSH servers
    #
  • [sshd]
  • port = 51337
    logpath = %(sshd_log)s

Save and exit with ctrl + X, Y, ENTER.

Now, restart fail2ban:

  • sudo service fail2ban restart

8. Setting up your firewall

Check this tutorial fore more details: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-16-04

First check the status of the firewall:

  • sudo ufw status

Now we’re going to set up the firewall, blocking all the ports but allowing traffic on the ports which are being used by the OriginTrail node:

  • sudo ufw disable
  • sudo ufw default deny incoming
  • sudo ufw default allow outgoing
  • sudo ufw allow example: sudo ufw allow 51337
  • sudo ufw allow 80
  • sudo ufw allow 443/tcp
  • sudo ufw allow 4043
  • sudo ufw allow 3000
  • sudo ufw allow 3010
  • sudo ufw allow 8529
  • sudo ufw allow 8900
  • sudo ufw allow 5279
  • sudo ufw allow 5278
  • sudo ufw enable

Check the status again to see if the rules are updated:

  • sudo ufw status

9. Installing docker

We’re finally getting close to installing your OriginTrail testnet node! The node is easily installed through a Docker image, so first we’re going to need to install Docker on our server. Use the following guide to do so and stop when you’ve ran the test provided in this guide (sudo docker run hello-world): https://docs.docker.com/install/linux/docker-ce/ubuntu/

Now, give docker the proper privileges:

  • sudo groupadd docker
  • sudo usermod -aG docker $USER

Log out and log back in so that your group membership is re-evaluated.

  • exit
  • ssh -p <new_ssh_port>@<ip-address>
  • example: ssh -p 51337 barry@13.37.13.37

Verify that you can run docker commands without sudo.

  • docker run hello-world

For more info check: https://docs.docker.com/install/linux/linux-postinstall/#manage-docker-as-a-non-root-user

10. Starting your node for the first time

Yay, it’s finally time to start your node! At least you have a more secure server now, and that is super important!

Download and install all the needed prerequisites:

  • docker run -it –network host -d –name=otnode –mount source=otnode-vol,destination=/ot-node –mount source=arango-vol,destination=/var/lib/arangodb3 origintrail/ot-node

This step can take a while so don’t close the terminal in the process. Once this process is done, start the node in interactive mode with the following command:

  • docker start -i otnode

Now keep checking for green letters. You should see something like:

notify:=======================================================
notify: Houston password: xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx
notify: =======================================================

Save this password somewhere safe. This is the password you will use to login to and interact with your node using the Houston graphical user interface app. If you don’t see this, go to step 12.

Also you should see your wallet address. Safe this address somewhere and use the faucets to send tokens to the address:

https://origintrail.io/faucet
https://faucet.rinkeby.io/

If you are running into issues trying to receive tokens, or you don’t have a social media account, please contact an admin on the Discord chat: https://discordapp.com/invite/wf3mJtp

To get out of interactive mode but keep your node running, close the terminal window or press control + p and control + q afterwards. This will switch the Docker container to daemon mode.

11. Using Houston to interact with your node

The OriginTrail team made this great app to interact with your node without the need of using the terminal again called Houston.

Download the Houston app:
Mac: https://origintrail.io/storage/Houston/Houston-0.7.0.dmg
Windows: https://origintrail.io/storage/Houston/Houston-0.7.0.exe

Open the Houston app and fill in the IP address of your server and the password you’ve saved in secure place. Click login and the app will connect to your node. You are now able to see all the statistics and settings of your node!

12. If you don’t see the Houston password and wallet address during startup

Some people encountered issues where they didn’t see any information and the node kept looping, warning you to first store funds in your wallet. If you have the same issue, please follow this step. You can also follow this step if you want to make changes to the default configuration (not recommended).

Stop your node with control + C. Hit it a couple of times if it’s not stopping. Start your node without the interactive node.

  • docker start otnode
  • docker exec -it otnode bash

You are now entering the active docker container. From there, type:

  • nano .env

This may look a bit weird and buggy, but your config file is opening. You will now see your wallet address, private key and houston password. Copy those and store them somewhere safe. Now you can use the faucets to receive the tokens needed for running the node!

Press control + x to exit and if you have made changes to the file, type:

  • npm run config

Type exit to exit the container. Now stop your node:

  • docker stop otnode

And start it again:

  • docker start -i otnode

If you have received the needed tokens, the node should now run fine and you shouldn’t get any more errors.

Useful links:

https://rinkeby.etherscan.io
https://discordapp.com/invite/wf3mJtp
https://origintrail.io/faucet
https://faucet.rinkeby.io

VPS Providers:

https://www.ovh.com
https://www.vultr.com
https://www.namecheap.com
https://www.hostwinds.com
https://www.transip.eu
https://www.digitalocean.com

One Reply to “Extensive guide to a secure OriginTrail node setup”

  1. Hello. Thank you for the great guide. I am trying to set up a secure server using Ubuntu on digital ocean. Hoping you can help me with Docker installation. I cannot get past adding the GPG key. After “curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -” I keep getting curl: option -: is unkown. I did notice that when I past the command into the terminal “|” (pipe) is changed to >. Also puts a > when I type | in the terminal. Not sure if this is the reason for the error. Appreciate any suggestions.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.