Secure Your SmartCash SmartNode VPS on Ubuntu 16.04 with a Mac Wallet v1.0


#1

Secure Your SmartCash SmartNode VPS on Ubuntu 16.04 with a Mac Wallet v1.0

Mac 10.13.2 (Local Wallet)
Ubuntu 16.04 LTS x64 (VPS smartnode)
Date 29/1/2018
By @controllinghand
Donation to my Smartcash: SebFkuHrqDnj3obXvMtfxtQKRgFeVpXF5x

Introduction

This guide assumes that you have already configured your SmartNode using the following guide

This section will guide you through disabling ssh access for root and creating a smartadmin user that will have access via ssh with the keys controlled on your MAC.

Section 1: Add the smartadmin user

  1. ssh into your VSP
    Once you have logged back in let us create a new user (I used “smartadmin”) with the command
    adduser smartadmin
  2. Enter the details for a password and keep it safe.
  3. You can enter the optional information but it is not necessary so you can just skip it by pressing enter.
  4. Type Y for the questions “Is this information correct” and press enter.
  5. Give the smartadmin the ability to elevate the user privileges when needed by adding the user to the sudo group with the command
    gpasswd -a smartadmin sudo

Section 2: install the firewall and set it up

  1. Let us install the firewall with
    apt-get install ufw
  2. Open up the correct ports for the SmartNode to function later.
    ufw allow ssh/tcp
    ufw limit ssh/tcp
    ufw allow 9678/tcp
    ufw logging on
    ufw enable
  3. Check the status of the firewall with
    ufw status
  4. reboot
    reboot

Section 3: Setup ssh on local MAC and send keys to VPS server

  1. Let us create the ssh key on the local MAC
    (!) WARNING if you are doing multiple smartnodes you can skip this step, if you already performed this for your 1st smartnode. Do not overwrite your .ssh/id_rsa. (!)
    ssh-keygen -t rsa -b 2048
    It will offer to save the file in the default location:
    /Users/youname/.ssh
    Press Enter to Accept Defaults.
    Create a Passphrase.
    Enter the Passphrase Again.
    Remember this Passphrase as you will need it to log in to all your ssh hosts going forward.
  2. Secure copy the pub key to the VPS server
    First make a directory for the .ssh keys on the VPS server.
    ssh smartadmin@VPS-IP 'mkdir ~/.ssh'
  3. Now copy the keys over from the MAC to the VPS
    scp ~/.ssh/id_rsa.pub smartadmin@VSP-IP:~/.ssh/authorized_keys
    now set the permission correct on the authorized_keys
    ssh smartadmin@VSP-IP 'chmod 600 ~/.ssh/authorized_keys'
  4. Now to disable root access for ssh
    ssh into your VSP
    ssh root@VSP-IP
    edit the sshd config file
    pico /etc/ssh/sshd_config
    Scroll down the file till you see PermitRootLogin yes and change it to no

    Scroll down to PasswordAuthentication and make sure it has no character in front and says no (check screenshot)

    Now press CTRL + x to close.
    “Save modified buffer?” will appear at the bottom.
    Press Y to save.
    Hit Enter to confirm the filename to save as.
    Now it is time to restart the ssh service, so the changes become active.
    systemctl reload sshd

    reboot
  5. Validate root doesn’t have access and login in with smartadmin user
    ssh root@VSP-IP
    You should get Permission denied (publickey)

Note: when it asks for your Enter passphrase for key it is not the root password or smartadmin password, it is the passphrase you used to create the ssh key

Now login with smartadmin
ssh smartadmin@VSP-IP

Important note

To issue commands like smartcash-cli getinfo you need to inherit root’s environment. So…
you would type sudo -i smartcash-cli getinfo
Basically any command you want to run as root type sudo -i <command>

This completes the guide to make your SmartNode more secure


Smartnode - NEW_START_REQUIRED and other issues
Adding a 2nd+ SmartCash SmartNode Setup Guide v2.0 for Mac Users (Quick Setup Guide)
How to Monitor your SmartCash SmartNode v2.0 (VPS on Digital Ocean)
Bash checker v1.1 for smartnode on Ubuntu (If you already have a SmartNode Configured)