Hi, I recently reached out to a developer as I am learning the ropes to setting up a Cardano Stake Pool publicly. I asked security questions regarding having an air gapped machine and was curious if the insight they provided was sound?
The gentleman explained to me:
“You don’t need to setup an air gapped machine. It’s a complicated setup that is deployed by advanced users with a technical background. Your servers should be secure enough that is impossible to be hacked, and let’s say they managed to hack your server, they can’t do anything on the server since the important files and keys are encrypted by your password. You will also have an offline copy of those important files and keys in an encrypted format on your PC or anywhere you want to save, just in case something happens. Your server should be set to its optimal setup, each with a host-based firewall that only necessary ports needed by the node and unique SSH port are open. And it should have an Login detection daemon that prevents any brute force attacks on the server, ie. it blocks the IP address of anyone that attempts to login to the server via SSH for using a wrong password 3 times.”
Is this sound advice being given?
Nope. Air gap is essential. There are stories of others who lost their all their ADA (~1M) because they exposed their air gap to the internet once. Why risk it? It doesn’t need to be a powerful server, just an second hand small form factor office PC does the trick.
I think in that particular case the docker image was already hacked when it was installed… anyway this is a hot topic and each of us should have a security plan… no one will want to lose the funds
You’re probably right. I see the air gap machine as being a very simple but effective security measure. Why try complicate it? It isn’t very complicated to setup. No more complicated the a Cardano node in general,
What exactly would I want to do on an air gap machine, when all my funds including the pool’s pledge are secured by a HW wallet? The pool’s cold.skey can now also be secured by a HW wallet.
Sign pool certs, etc. While the HW secures your pledge, I don’t think it secures your pool itself and someone could maliciously take control of your pool and reassign the rewards address.
How so? Pool config changes need to witnessed by three roles
- The one who pays the fees
- The pool’s cold skey
- Every owner’s skey
If the latter two are controlled by a HW wallet, how would an attacker change the pool config.
In practise, because HW secured cold keys are still fairly young. It would boil down to an attacker gaining access to the cardano-cli generated cold.skey.
Is this our common understanding, that an air gap machine would potentially better secure that single skey?
anyway… it’s better to avoid all of these… so still I believe each PO has his own plan to secure the pool…
I can give u an example for cntools (my case)
disconnect the server from internet, start cntools in offline mode and create/sign the transactions, then connect the node back to the internet (after all sensitive files were removed) and submit the transaction
I agree you need the multi sign to generate the pool config, but do you need it to undo that config? i.e. just remove HW address and sign it without it?
Its the cold.skey that matters. With ASTOR an attacker would have to get hold of that key to change pool owners. All my ADA is secured by HW wallet (i.e. I have no payment.skey that could get compromised) - at least none with significant funds.
I have my systems local with ssh uninstalled. Is this the safest setup? Do you still recommend air gap?
I am not an expert but most people I trust use air gapping.
Having an air gaped machine is essential to a secure operation. It’s as cheap as a raspberry pi in which you sign the transactions on. It has to be a machine that was never connected and will never connect to the internet.
Yes me too mate, and this is a good security step.
air gaping concept is good, and should still be applied. A step further is to really have dynamic environment ruled by automated pipelines. This way even you air gap env. only exist few minutes at worst and is then destroyed once his task it done.
Any server staying a long time end up being a potential security threat. Relays and Block Producer included.
In a nutshell cattles > pets
Thanks all for the responses. This helped settle some decisions that air gapped was a crucial necessity. I’ve set up my stake pool (Donator) and it is air gapped.
Now off and running to promoting. I’m intrigued how others promote their pools successfully ( or unsuccessfully). I understand the rewards algorithm, and I’m not biased that it favors larger pools to mint blocks. Checking adapools.org, there are A LOT of pools that have still produced 0 blocks for quite some time.
How can the small guy or gal get a leg up on these larger pools, isn’t this inherently centralized? Sorry to throw out the forbidden “c” word of crypto. Wouldn’t changing this algorithm setup to help the smaller pools give an edge over eth 2.0? Maybe I’m an idiot and missing something, as i often pigeon hole my train of thought.
We will actively promote and hope others delegate with us as we donate 100% of margin to charity. Hoping that’s enough. If any have insight or if there is a union of small pool (lol) I’d love to join.
Have u seen the new CF portal?
…environments ruled by automatic pipelines… sounds like it’s hard work but the ideal place for air-gapping.
Do you have any resources I can look at to help me experiment with such a setup?
Hey @Everett2890 ,
You are not an idiot, and yes this is one of the problem Cardano will have to address.
My guess is it served the purpose very well of fast spreading the pools and advertisement for Cardano initially. In that sense it’s a success.
Now I think we are reaching the limits of this system where pools are only rewarded on popularity by users.
This popularity is reached by either being a social media addict, either be an exchange, which are both very limiting.
Exchanges help centralization, having them around is ok, having them too much is problematic.
Social media “geniuses” are not bringing much to the table really. Often not improving the Cardano ecosystem, being “script kids” and even sometime promoting themselves through barely acceptable ways dragging Cardano in some sort of mud (boobs, sexi pics, etc …).
I didn’t mentioned the last type of pools, the serious ones that were here from the very early stages of pooling that got their name known this way. They totally deserve their fame and success.
IMHO, the pool reward got to be decorelated from the advertisement. Rating pool on uptime, delay to update, missed blocks, etc … would be so much better for everyone.
Disclosure, I’m representing [MADA1], a technical pool with cardano delegation offering automation help and compiling and distributing cardano node for ARM CPU to the community.
It’s not so much hard work.
All our pool is managed through gitlab and everything is a breeze.
An airgap machine for secure operation is good, but an instance with no login possibility, existing for 2 to 10 min and destroying itself on completion is the best practice. That is easily achievable through automation.