Basic Hardening and Security for your Pool

[Image: security.jpg]

 

This guide is meant to be apart of the Novice’s Guide to Setting up a Crypto-Currency Mining Pool, and will be using things already setup from that guide. Please refer to that guide first.

We are going to go over some basic things to harden your server and secure it. This will help prevent some common exploits as well as provide some basic DOS protection. You have to go way more in depth if you are aiming for a professional setup, especially when it comes to securing your webserver. This is a completely optional guide, but I highly suggest it.

Make sure you are logged into ssh (putty) as root before starting this guide.

Config Server Firewall (CSF) Setup

We will be installing the CSF module with webmin, which gives you an easy to use GUI to manage your firewall settings.

cd
wget http://www.configserver.com/free/csf.tgz
tar –xzf csf.tgz
cd csf
sh install.sh

You should get an “Installation Completed” Message.

Now, let’s go back to webmin https://yourserverip:10000/

In Webmin, follow this route: Webmin > Webmin Configuration > Webmin Modules

You should be at a page that looks like this:
[Image: XHKufIH.png]

Select “From Local File” and browse to /etc/csf/csfwebmin.tgz
Should look like this:
[Image: uBxzsvw.png]

Now, go ahead and click “Install Module”

Now CSF should be successfully installed, now in webmin go to System > ConfigServer Security & Firewall
You might get an error about symlinks or something else related, just hit ok and it’ll fix it.

Let’s allow your IP, so you don’t accidently get locked out of your server. In the CSF GUI, just scroll down to “Quick Allow” and put your IP in the green box and then click “Quick Allow”. You can find your ip by googling “what is my ip”. Sometimes CSF auto-detected that you set it up in the first place, so you might get an error that your ip is already allowed. That is fine, everything is ok.

-Now let’s disable test mode and setup some rules, in the CSF GUI go ahead and click “Firewall Configuration”.
-Go ahead and set “TESTING =” to 0
-Scroll down a bit and set “RESTRICT_SYSLOG=” to 3
-Scroll down more to “TCP_IN” and “TCP_OUT” and add a comma after 995 and add 3333,2020,9333,9418 on both IN and OUT. Should look like this:
[Image: HSa5x9n.png]

-Scroll down more and set “SYSLOG_CHECK=” to 300
-Scroll down more and set “SYNFLOOD =” to 1
-Scroll down more and set “UDPFLOOD=” to 1
-Scroll to the bottom and click “Change”
-Now go ahead and click “restart csf+lfd”
-Everything should be good, go ahead and click “Return” at the bottom.

This is an example of some more settings you can mess with in CSF:
You can setup PORTFLOOD, this is great especially if your stratum is getting attacked.
An example value in there would be

Quote:

3333;tcp;5;250

This would limit block the IP address if more then 5 connections are established on port 3333 (default stratum port) within 250 seconds.

There is a lot of guides online on configuring CSF for more protection, I’d suggest getting on google after this guide is over and looking over more stuff. What I just showed you how to set up is some really, really basic DOS protection. If you were to have any sort of public users on your pool you would want to configure CSF more.

Secure MySQL

Let’s disable LOAD DATA LOCAL and make it so only local connections can access the MySQL Server.

nano /etc/mysql/my.cnf

Use the down arrow on your keyboard to scroll down to [mysqld] At the end of mysqld between the # symbols add

Quote:

local-infile=0
bind-address = 127.0.0.1

If you are confused, this is what it should look like:
[Image: 9l0pB80.png]

Ctrl+O to Save and Ctrl+X to exit nano.

Let’s restart MySQL to apply the changes.

service mysql restart

 

Set Static IP

By default most VPS will come configured with DHCP, in layman terms it’s essentially automatically detecting the IP/Subnet. This can pose a lot of security risks, so let’s set a static ip.

NOTE: If you don’t follow these instructions carefully you will disable your VPS (it won’t have internet access). Either make a quick snapshot/backup with your VPS provider right before you do this or skip this step. I have not geared these static ip instructions toward a dedicated server at all, I’d suggest you contact your provider if you have a dedicated server if you don’t have a static ip set already instead of following this.

First thing you need to do is grab your assigned IP, Netmask, and Gateway from your host. It should be in your VPS welcome email, control panel, or you might have to ask your host for all of this information. In a Vultr VPS which I am using for this guide, you simply click on the IPv4 tab and then click on “networking configuration tips and examples” and a page should show up that gives you the details for multiple operating systems. You want the Debian/Ubuntu specific info like this:
[Image: F9GijaU.png]

Now you need to edit interfaces with this info.

nano /etc/network/interfaces

Delete everything below “# The primary network interfaces”

Grab your network info from before, and paste it below “# The primary network interfaces”

Quote:

auto eth0
iface eth0 inet static
address 108.61.205.159
netmask 255.255.254.0
gateway 108.61.204.1
dns-nameservers 108.61.10.10
post-up ip route add 169.254.0.0/16 dev eth0

****That is the network info from MY VPS I used for this pool guide, please change it all!!!

It should look like this when you are done:
[Image: evXfE9g.png]

Now hit Ctrl+O to save and Ctrl+X to exit the nano editor.

Time to restart eth0 so the changes can be applied:

ifconfig eth0 down && ifconfig eth0 up

Note that running that command will kick you off shell, and you’ll have to fire putty up again and connect to your server.

Your server should have a static IP now. If you have an issue, and tried restarting several times through your providers control panel then I suggest you revert to your snapshot/backup.

Shell (SSH) Hardening

There is a lot of bots that are designed to attack port 22, the default SSH port. Let’s fix this. Also, we will disable DNS access (they can’t use a domain to connect to shell, only the ip).

First off, select a new port you want SSH to be on. I already had you open port 2020 in CSF in the beginning of this guide so you can go with that. You might want to change it to a different port though since 2020 may be targeted on mining pools after malicious users read this guide.

Alright, let’s edit sshd and change the port/deny dns access.

nano /etc/ssh/sshd_config

You will see “Port” several lines down from the top, change it to 2020 instead of 22. Should look like this:
[Image: ePlq2Gu.png]

Now use the down arrow on your keyboard and go all the way to the bottom.

Add this line to the bottom below everything.

Quote:

UseDNS no

Should look like this:
[Image: T99pjhv.png]

Now hit Ctrl+O to save and Ctrl+X to exit the nano editor.

I suggest a reboot, you just did a lot and Ubuntu probably needs a reboot. All you have to type in shell is simply:

reboot

If your server does not come back up for some reason, try accessing through webmin and disabling CSF. If that does not work, then revert back to your snapshots/backups (which you should take after every step anyway!). Also, remember you just changed the SSH Port to 2020 so you have to change that in your ssh terminal (putty) before you try to connect.

You have now done some basic hardening/security. If you were going to launch a public pool, I would highly suggest you get on google and look up how to secure/harden your server more. Especially your webserver.

Zach A.

Mining Pool Operator & Mining Enthusiast.

2 Comments

  1. Jesus   •  

    Hi – the images seem to have broken

  2. tutanchamon   •  

    Hello, can you recommend some good article for pool hardening?

Leave a Reply