Masternode and wallet security requirements


#1

Hello, thanks to everyone who try to explain details and help us… I will setup a masternode, but I want to learn about Linux operation system security checks?
Which Linux do you suggest and what I must do for my wallet security? I need protect my wallet from attackers?
Please give me a to-do list for my wallet and masternode security.


#2
a few items about security on the linux os hosting your master node.

the master node does not have your wallet on it, so you dont need to worry about that any more then you worry about your normal wallet on your computer. I do advise you pick strong passwords for anything wallet related in crypto however.

going to assume your going to use ubuntu 16
1. For the linux server very first thing when you get into it. 
update all packages on it and the distribution, for ubuntu this is run as root user command

"apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y && shutdown -r now"

2. install iptables with command "apt-get install iptables iptables-persistent -y"

3. make unprivileged user for the node and to login with (we disable root login below)
command = adduser pirl

pick a hard password and accept all the defaults


----ssh security---------
(ssh key auth is best but I don't want to write a book tonight"
4. change ssh port to some number higher then 1024 but lower then 65534 ex. 22055
 ex.  Port 2288 or Port 22022 (anything not port 22, or 80, or 6588 or 30303. 
recommend higher like >22000 and < 65000

 command = nano /etc/ssh/sshd_config
change "Port 22" to "Port 22055" or number you picked above

*         Disable root login

find the line that say: "PermitRootLogin yes" change it to "PermitRootLogin no"

*     set only user allowed to use ssh to login to your selected username from number 4 above for example "pirl"

add a line at the bottom that says
"AllowUsers pirl"

this is the only user that will be allowed to authenticate to ssh, 
if you made a different account above use that username instead
(use the unprivileged user to login, and sudo or su to root if needed)
close and save file


5. edit sudo to allow your new user to become root
command "visudo"
find the section toward the bottom that says
"
# User privilege specification
root    ALL=(ALL:ALL) ALL
"

add a line under that to make it say (using your username)
"
# User privilege specification
root    ALL=(ALL:ALL) ALL
pirl   ALL=(ALL:ALL) ALL
"
(to save the file do cntrl x then yes)(it will warn you if you messed up)

6. restart the ssh deamon and make sure you can ssh in, on the NEW port before you close your current session
command "systemctl restart ssh" or "systemctl restart sshd"
you should be able to see it listening on the new port with command "netstat -lnp|grep ssh"
 > netstat -lnp|grep ssh
> tcp        0      0 0.0.0.0:22022           0.0.0.0:*               LISTEN      22198/sshd
> tcp6       0      0 :::22022                :::*                    LISTEN      22198/sshd
> root@POOLsrvr:~#

8. configure the firewall

Now we set some simple iptables rules to drop all other stuff away, presuming 22022 (whatever you picked above) for ssh above
edit the firewall config file /etc/iptables/rules.v4 with command 
**nano /etc/iptables/rules.v4**

fill in there some basic rules from below, take note of the sshd port and source ip address line in the top section.

---------------------iptables rules.v4 file contents------------------
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [0:0]

    # Allows SSH connections 
    # The --dport number is the same as in /etc/ssh/sshd_config you changed before
    -A INPUT -s **your.home.ip.address.here**/32 -p tcp -m state --state NEW --dport 22022 -j ACCEPT
    # Accepts all established inbound connections
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Allows all outbound traffic
    # You could modify this to only allow certain traffic, you don't want to unless you know what you are doing!
    -A OUTPUT -j ACCEPT
    # Allow all localhost source traffic ie, your proxie stuff from ember
    -A INPUT -s 127.0.0.1/32 -j ACCEPT
    # Allow ping
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    #Allow pirl node inbound traffic
    -A INPUT -p tcp -m tcp --dport 30303 -j ACCEPT
    -A INPUT -p tcp -m tcp --sport 30303 -j ACCEPT
    -A INPUT -p udp -m udp --dport 30303 -j ACCEPT
    -A INPUT -p udp -m udp --sport 30303 -j ACCEPT

    # log iptables denied calls (access via 'dmesg' command)
    #-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
    # DROP all other inbound - default deny unless explicitly allowed policy:
    -A INPUT -j DROP
    -A FORWARD -j DROP

    COMMIT
-----------------------end file contents-------------------

9. save the file, then you can activate it, and write reformatted back to the file:
use commands below :
iptables-restore < /etc/iptables/rules.v4
iptables-save > /etc/iptables/rules.v4


you can also watch the packets get through with command 
iptables -L -v


10, now you have 
* changed the default login port, username and ip which is allowed to use ssh
* enabled the firewall, and only allowed ssh to your home ip, and only allowed the pirl daemon ports through
* added your new user to sudo so you can become root
* blocked root login on ssh
* limited ssh login to only your new username 
* updated the old packages and kernel for the ubuntu distro to the latest secure packages possible

pat yoruself on the back, 
at this point if it is hacked, they did it from your home, or broke through the pirl node service directly.

#3

Hello,
i installed oyster wallet from pirl.io and created a new wallet with strong password.ş than i backed up “keystore” folder
and than i installed a new wallet to a new pc, give my wallet file in the keystore, but Osyter Wallet DO NOT asked me any password??? WHY?


#4

Hello !
Did you try to make a transaction ?
Password is asked only when you want to make a transaction, not when you open the wallet.


#5

Hmm. Thanks. I got it