Skip to main content
ALL CHAINS

Security Hardening

RPC Access Control

Default security (auto-generated by node.sh):

  • Random 32-character username and password
  • IP whitelist defaults to ["127.0.0.1"]

Restrict RPC access:

{
  "Configuration": {
    "RpcConfiguration": {
      "User": "RANDOM_USER",
      "Pass": "RANDOM_PASS",
      "WhiteIPList": ["127.0.0.1"]
    }
  }
}
danger

Never add 0.0.0.0 to the whitelist. If you need external RPC access, use a reverse proxy with authentication and rate limiting.

For ESC/EID RPC, bind to localhost when not serving external traffic:

# Instead of --rpcaddr '0.0.0.0', use:
--rpcaddr '127.0.0.1'

Keystore Management

Keystore creation: Generated during ela init using ela-cli wallet create. The private key is P-256 (secp256r1), encrypted with AES using the keystore password.

Password policy: The gen_pass function enforces 16+ characters with mixed case, digits, and special characters. If auto-generated, uses openssl rand -base64 100.

Storage security:

# Verify credential file permissions
ls -la ~/.config/elastos/
# All files should be -rw------- (600)

# Fix if needed
chmod 600 ~/.config/elastos/*
chmod 700 ~/.config/elastos/

# Verify keystore permissions
ls -la ~/node/ela/keystore.dat
chmod 600 ~/node/ela/keystore.dat
danger

Never store keystore passwords in:

  • Environment variables (visible in /proc)
  • Command-line arguments (visible in ps)
  • Git repositories
  • Shared filesystems

Firewall Best Practices

# Default deny all incoming
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (change to your SSH port)
sudo ufw allow 22/tcp comment "SSH"

# Allow only P2P and consensus ports publicly
sudo ufw allow 20338/tcp comment "ELA P2P"
sudo ufw allow 20339/tcp comment "ELA BPoS"
sudo ufw allow 20638/tcp comment "ESC P2P"
sudo ufw allow 20648/tcp comment "EID P2P"

# RPC ports — allow only from specific management IPs
sudo ufw allow from 10.0.0.0/8 to any port 20336 proto tcp comment "ELA RPC - internal"
sudo ufw allow from 10.0.0.0/8 to any port 20636 proto tcp comment "ESC RPC - internal"

# Enable firewall
sudo ufw enable

# Verify
sudo ufw status verbose

Process Isolation

Run Elastos services under a dedicated non-root user:

# Create service user
sudo adduser --disabled-password --gecos "Elastos Node" elastos
sudo su - elastos

# All node files should be owned by this user
chown -R elastos:elastos ~/node
chown -R elastos:elastos ~/.config/elastos

For stronger isolation, consider using a systemd service with security restrictions:

# /etc/systemd/system/elastos-ela.service
[Unit]
Description=Elastos ELA Main Chain
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=elastos
Group=elastos
WorkingDirectory=/home/elastos/node/ela
ExecStart=/home/elastos/node/ela/ela
ExecStop=/bin/kill -TERM $MAINPID
Restart=always
RestartSec=30
LimitNOFILE=40960

# Security hardening
ProtectSystem=strict
ReadWritePaths=/home/elastos/node /home/elastos/.config/elastos
ProtectHome=read-only
NoNewPrivileges=true
PrivateTmp=true

[Install]
WantedBy=multi-user.target
info

If using systemd services, you bypass node.sh for process management. This is a trade-off: you gain process isolation and automatic restarts but lose the convenience of node.sh commands for start/stop. You can still use node.sh for status, update, and management operations.

SSH Hardening

Since this is a server holding cryptocurrency funds:

# Use key-based authentication only
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config

# Disable root login
sudo sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config

# Change default SSH port
sudo sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config

# Restart SSH
sudo systemctl restart sshd

# Install fail2ban
sudo apt-get install -y fail2ban
sudo systemctl enable fail2ban

Audit Logging

Track access to sensitive files:

# Install auditd
sudo apt-get install -y auditd

# Monitor keystore access
sudo auditctl -w /home/elastos/node/ela/keystore.dat -p rwa -k elastos-keystore
sudo auditctl -w /home/elastos/.config/elastos/ -p rwa -k elastos-credentials

# Monitor config changes
sudo auditctl -w /home/elastos/node/ela/config.json -p wa -k elastos-config

# View audit logs
sudo ausearch -k elastos-keystore

Make rules persistent in /etc/audit/rules.d/elastos.rules:

-w /home/elastos/node/ela/keystore.dat -p rwa -k elastos-keystore
-w /home/elastos/.config/elastos/ -p rwa -k elastos-credentials
-w /home/elastos/node/ela/config.json -p wa -k elastos-config