Cronos POS Chain Mainnet Validator Security Checklist
Part 1 - Conduct Survey on General Controls of Hosting Data Centre
Description: Perform a survey on the hosting data centre, and compare your result with the best practice suggested below
For example, your hosting data centre should have the following features
Controls Category | Description of Best Practice |
---|---|
Data Center | Redundant Power |
Data Center | Redundant Cooling |
Data Center | Redundant Networking |
Data Center | Physical Cage/Gated Access |
Data Center | Remote Alerting Security Camera |
Part 2 - Current Status of Node Setup
Description: Perform a survey on your current status of node setup, and compare your result with the best practice suggested below
Controls Category | Description of Best Practice |
---|---|
General System Security | Operating system appropriately patched. Kernel is updated to latest stable version. The node should be operated in x86_64 environment |
General System Security | Auto-updates for operation system is configured. Toolkit for automatic upgrades exists (e.g. auter, yum-cron, dnf-automatic, unattended-upgrades) |
General System Security | Security framework enabled and enforcing. SELinux / AppArmor / Tomoyo / Grsecurity Enabled. |
General System Security | No insecure and unnecessary services Installed. (e.g. telnet, rsh, inetd, etc ...) |
General System Security | GRUB boot loader password is configured. Grub2 configured with password |
General System Security | Only root permissions on core system files |
Mainnet related File Directory Security | Secure the directory |
Mainnet Binary Configuration | Recommed the following settings in config.toml for both performance and security - For sentry nodes: |
Account Security & Remote Access | Following Pasword policies are enforeced: No Blank Passwords; Weak Passwords Not Allowed |
Account Security & Remote Access | Following SSH configurations are enabled: PermitRootLogin: |
Networking | Network throughput test using speedtest. Recommend to have at least 5 Mbps upload, 5 Mbps download) |
Networking | Host-based (e.g. iptables) or cloud-based (e.g. AWS Security Group) firewall is enabled to protect all the involved nodes. Remote management ports (e.g. SSH - TCP 22) should only be exposed to selected IP instead of the internet. No overly permissive rules (e.g. wide range of allowed ports 1-65535) should be set. For internal communication channels between nodes, they should be set with specific source and destination addresses. For internet reachable nodes, set TCP 26656 to be the only incoming port, if possible. |
Networking | Intrusion Detection / Prevention System (e.g. Fail2Ban, Snort, OSSEC) is installed and enforcing |
Networking | Setup sentry node architecture to protect validator node, and set firewall rules to restrict direct internet access to it. |
Networking | The Remote Procedure Call (RPC) provides sensitive operations and information that is not supposed to be exposed to the Internet. By default, RPC is on and allow connection from 127.0.0.1 only. Please be extremely careful if you need to allow RPC from other IP addresses. |
Redundancy | Hot standby node is setup with the same configuration as main node |
Redundancy | System monitoring and alerting is setup to alert owners on anormalies |
Key Managment | Setup Tendermint KMS with HSM or equivalent online service, which should replace the static key file. |
DDOS | Setup validator in accordance with sentry architecture. Kindly refer to the setup instruction and detailed description. |
Last updated