Security Questions after going through Course + Coincashew

Hi everyone,

I am going through Coincashew’s guide and did the stake pool school. Using Azure, I have one VM for the core and one for the Relay (probably will add a third VM for second relay).
All ports are closed except the one connecting to my laptop and the core and relay VM have an open port between them. Both nodes are currently syncing with ETA of 2 days.

Some security aspects I still find odd however:

  1. How are my nodes syncing if I didn’t add any incoming rule for the nodes my relay connects to? (Outgoing is open)
  2. By having an open port between the core and the relay, couldn’t someone just SSH from my relay into the core node if I open incoming connections in the relay?
  3. Is there any way to prevent a DDoS on a single stake pool? It seems to me that having 2 relays can be targeted just as easily as one.
  4. Last one just to confirm: it’s often mentioned don’t put core and relay on the same host. Does that mean don’t put them on the same VM ,for example, (which I’m not doing) or don’t put them on the same VM host like Azure or AWS (which I am doing)

The air gapping is pretty clear to me and I clean installed Ubuntu on an old laptop with no wifi where I already generated some keys :slight_smile:

Thanks for reading and happy operating/staking!


  1. communication between nodes are related to the topology.json file
    you find the peers IP, which will connect with the node.
    also on this file, you have to define the port.
    then you have to open this port locally on ufw.

  2. ssh use 22 port, or you can change the port for ssh.
    then, you have to allow from the ufw, which source IPs are allowed to have ssh connection to each node. which means you can allow an IP,which is your Public IP from home, you can have a jump server, or you have to develop a nice architecture for the solution which fits to your pocket and gaols.

  3. close unnecessary port, allow only port for cnode. allow maximum of 12 peers for the cardano nodes on the topologyupdater file

  4. i didnt read something like that, but also i wouldnt do this too.
    as i understand what you have read, is related to exactly what you have understand. never run relay and BP on the same VM.

Thank you for your answers, helps a lot. About question 1. I did set up the topology with a few peers but didn’t open the ports yet. The node could already sync before I open the ports which I found weird and like I’m missing something.
Do you know how this could be?

can you please
sudo ufw status
is the firewall active?

the ufw firewall is not active. I use the Azure networking rules and I thought that is the same. They seem to be working at preventing unwanted connections. For example if I ssh into one of the VMs with the wrong port I get refused.

most of vps provider provide their firewall, but your operating system also has its own firewal (ufw) in our case.

we recommend both of them

ok, I will set up ufw too to be safe, thank you :slight_smile:

my friend,
first of all security, high priority for your private project and for sure like second and extended reason
the security of the network.

the reputaiton of Cardano project is related to our job,
and our job is related to the trust between us and the delegators…

that is the begin of democracy.
from bottom to top