Security specifics

I’ve enabled a ufw firewall on my relay nodes and get a status like this:

To                         Action      From
--                         ------      ----
<SSHport>/tcp             LIMIT IN    Anywhere
<NODEport>/tcp            ALLOW IN    Anywhere
<SSHport>/tcp (v6)        LIMIT IN    Anywhere (v6)
<NODEport>/tcp (v6)       ALLOW IN    Anywhere (v6)

I saw a recommendation that I should disable IPv6 - which corresponds to all the (v6) rules, correct?

So a more secure ufw ruleset should read as such

To                         Action      From
--                         ------      ----
<SSHport>/tcp             LIMIT IN    Anywhere
<NODEport>/tcp            ALLOW IN    Anywhere

I can’t allow just my home IP to login as my ISP changes this address regularly.

What kind of security hole do I leave enabling a port for prometheus?

I’m supposed to not run a node with root privileges and should setup an unprivileged account with sudo access. I’m an AWS server running Ubuntu 18.04. After login all upper lever commands require sudo prefix. Does this mean I am already logged in as a user with restricted privilege?

How about installing Prometheus + Grafana on a separate monitoring server, and configuring your core + relay nodes firewall such that only the monitoring server is able to connect to the node exporter + Prometheus ports? That way, you won’t need to expose the Prometheus port to the public.

I run my Prometheus + Grafana servers on a free google cloud instance (F1-micro) that only I can access from my home PC - seems to get the job done. Then it’s only a matter of logging into the Google Cloud Console every now and then to update the firewall rules whenever my public IP is changed by my ISP.

1 Like