Linux auditing and hardening (for validators / workstations)

#1

In addition to thinking about appropriate hardware for a secure home workstation, I started a repo to encourage collaborative efforts around validator security: here. It is still a work in progress and I would appreciate people reaching out to me to work on it.

In addition to thinking about hardware, we need to consider appropriate processes and system configuration. I’d like to kick off some discussion about Linux auditing and hardening.

Starting with a pre-hardened system would make life easier, however you could take a stock Linux server distribution and applying hardening. My guess is that most people in the blockchain industry are not hardening experts, but are enthusiasts who are keen to learn.

Auditing

Performing an audit is the first step in hardening your system. Find what is poorly configured from a security point of view, and then fix it. While you could run a generic auditing script it doesn’t aid with understanding.

I’ve created a new repo to help get started with Linux auditing. I provide a simple process you can follow to check the system’s configuration, plus the commands you need to run.

This process is generic. It is not tailored to running a validator server. The coverage is about the same, but when you perform an audit you should understand the context in which you do the audit. If you are a web server then it is acceptable to have ports 80 and 443 open, but if you are running a validator it probably isn’t.

For now I’ve outlined the auditing process Debian / Ubuntu systems: here.

Hardening

Hardening a system more or less requires understanding what the weak configurations look like (as found in an audit) then changing this configurations to more secure options.

This section requires further work!

#2

Thank you. This information is helpful to me.:blush::blush: