Cronos POS Chain Docs
  • Getting Started
    • 📑Cronos POS Chain Introduction
    • 🔰Architecture
  • For USERS
    • 🌟New brand and domains
    • 💰Wallets
      • chain-maind
      • Ledger Hardware Wallets with chain-maind
      • Crypto.com DeFi Desktop Wallet
      • Conducting IBC Transfer with Keplr Wallet
      • Using Ledger Device with Keplr Wallet
      • Mainnet Address Generation
      • Mainnet Address Verification
      • Multisig Account
      • Delegation Guide
      • Key Principles for Wallet Security
    • 🛠️Token Migration Web Tool
    • 🚰Croeseid Testnet Faucet
  • For Node Hosts
    • ⛓️Running Nodes
      • Public Node Sync
      • Quicksync
      • Cronos POS Chain Mainnet: Running a Full Node
        • Upgrade Guide
          • The "V5" upgrade guide (v4.* to v5.0.1) :
          • The "V4" upgrade guide (v3.* to v4.2.2) :
          • The "DRACO II" upgrade guide (v2.* to v3.3.2) :
          • The "Canis Major" upgrade guide (v1.* to v2.0.1) at block height 922,363:
          • Running "Canis Major" network upgrade with cosmovisor
      • Cronos POS Chain Mainnet: Running a Validator
      • Cronos POS Chain Mainnet Validator Security Checklist
      • Croeseid Testnet: Running Nodes
      • Mainnet/Testnet: Running Nodes using AWS 1-click Deployment
      • Mainnet/Testnet: Running Nodes using Azure 1-click Deployment
      • Croeseid Testnet: Running Nodes With Nix
      • Devnet: Running Latest Development Node
    • 🔄Advanced TMKMS Integration
    • 💫Notes on Performance
    • 🔃Notes on Production Deployment
  • Block Explorers
    • 📊Cronos POS Chain Mainnet Explorer
    • 📊Croeseid Testnet Explorer
  • Cronos PoS Chain Protocol
    • ⛓️Chain Details
      • Genesis
      • Protocol Documentation
      • Chain ID, Address Format and Signatures
      • Create the IBC-enabled tokens on the Cronos POS Chain with Solo Machine
      • List of parameters
      • Proposal Process
      • Technical glossary
    • 🎛️Modules
      • module_supply
      • module_slashing
      • module_authz
      • module_bank
      • module_mint
      • module_gov
      • module_staking
      • module_distribution
      • module_nft
  • Cronos PoS Integration
    • 🔄Integration documentation
    • 🛂Node Setup and RPC node
    • 🔲Blocks and Transactions
Powered by GitBook
On this page
  • Part 1 - Conduct Survey on General Controls of Hosting Data Centre
  • Part 2 - Current Status of Node Setup
  1. For Node Hosts
  2. Running Nodes

Cronos POS Chain Mainnet Validator Security Checklist

Part 1 - Conduct Survey on General Controls of Hosting Data Centre

Description: Perform a survey on the hosting data centre, and compare your result with the best practice suggested below

For example, your hosting data centre should have the following features

Controls Category
Description of Best Practice

Data Center

Redundant Power

Data Center

Redundant Cooling

Data Center

Redundant Networking

Data Center

Physical Cage/Gated Access

Data Center

Remote Alerting Security Camera

Part 2 - Current Status of Node Setup

Description: Perform a survey on your current status of node setup, and compare your result with the best practice suggested below

Controls Category
Description of Best Practice

General System Security

Operating system appropriately patched. Kernel is updated to latest stable version. The node should be operated in x86_64 environment

General System Security

Auto-updates for operation system is configured. Toolkit for automatic upgrades exists (e.g. auter, yum-cron, dnf-automatic, unattended-upgrades)

General System Security

Security framework enabled and enforcing. SELinux / AppArmor / Tomoyo / Grsecurity Enabled.

General System Security

No insecure and unnecessary services Installed. (e.g. telnet, rsh, inetd, etc ...)

General System Security

GRUB boot loader password is configured. Grub2 configured with password

General System Security

Only root permissions on core system files

Mainnet related File Directory Security

Secure the directory ~/.chain-maind to be accessible by owner only

Mainnet Binary Configuration

Recommed the following settings in config.toml for both performance and security - For sentry nodes: max_num_inbound_peers = 500, max_num_outbound_peers = 50, flush_throttle_timeout = "300ms" - For validator node: max_num_inbound_peers = 100, max_num_outbound_peers = 10, flush_throttle_timeout = "100ms"

Account Security & Remote Access

Following Pasword policies are enforeced: No Blank Passwords; Weak Passwords Not Allowed

Account Security & Remote Access

Following SSH configurations are enabled: PermitRootLogin: no; PasswordAuthentication no; ChallengeResponseAuthentication no; UsePAM yes; AllowUsers Neccesary user only; AllowGroups Neccesary group only.

Networking

Network throughput test using speedtest. Recommend to have at least 5 Mbps upload, 5 Mbps download)

Networking

Host-based (e.g. iptables) or cloud-based (e.g. AWS Security Group) firewall is enabled to protect all the involved nodes. Remote management ports (e.g. SSH - TCP 22) should only be exposed to selected IP instead of the internet. No overly permissive rules (e.g. wide range of allowed ports 1-65535) should be set. For internal communication channels between nodes, they should be set with specific source and destination addresses. For internet reachable nodes, set TCP 26656 to be the only incoming port, if possible.

Networking

Intrusion Detection / Prevention System (e.g. Fail2Ban, Snort, OSSEC) is installed and enforcing

Networking

Setup sentry node architecture to protect validator node, and set firewall rules to restrict direct internet access to it.

Networking

The Remote Procedure Call (RPC) provides sensitive operations and information that is not supposed to be exposed to the Internet. By default, RPC is on and allow connection from 127.0.0.1 only. Please be extremely careful if you need to allow RPC from other IP addresses.

Redundancy

Hot standby node is setup with the same configuration as main node

Redundancy

System monitoring and alerting is setup to alert owners on anormalies

Key Managment

Setup Tendermint KMS with HSM or equivalent online service, which should replace the static key file.

DDOS

PreviousCronos POS Chain Mainnet: Running a ValidatorNextCroeseid Testnet: Running Nodes

Last updated 4 months ago

Setup validator in accordance with sentry architecture. Kindly refer to the setup and .

⛓️
instruction
detailed description