πΎInstallation
Linux software installation guide, starting with a new machine through to the point of installing the validator clients.
πΎ Installing Linux
To avoid duplication these details can be found on the EthStaker Knowledge Base.
π§ System Configuration
Add useful Bash
aliases.
echo "alias lsl='ls -l'" >> ~/.bashrc
echo "alias lsla='ls -la'" >> ~/.bashrc
echo "alias clc='clear'" >> ~/.bashrc
echo "alias myip='echo Response from https://ipinfo.io/ip:; curl https://ipinfo.io/ip; echo'" >> ~/.bashrc
echo "alias ports='sudo lsof -i -P -n | grep LISTEN'" >> ~/.bashrc
echo "alias update-system='sudo apt-get update -y; sudo apt-get dist-upgrade -y'" >> ~/.bashrc
echo "alias update-firmware='fwupdmgr refresh; fwupdmgr get-updates; fwupdmgr update'" >> ~/.bashrc
echo "alias update-kernel='sudo apt-get install -y linux-image-generic-hwe-22.04'" >> ~/.bashrc
echo "alias daemon-reload='sudo systemctl daemon-reload'" >> ~/.bashrc
source ~/.bashrc
Update system packages.
update-system
Update kernel to the latest version for 22.04.
update-kernel
Install useful packages.
sudo apt-get install -y \
git \
build-essential \
software-properties-common \
pkg-config \
cmake \
clang \
wget \
curl \
ccze \
vim \
jq \
net-tools \
unzip \
screen \
mosh \
ufw \
fwupd \
linux-tools-common \
linux-tools-generic \
tmux
sudo snap install btop
Update firmware.
update-firmware
Restart machine.
sudo shutdown -r now
Update the system again after restarting.
update-system
Set up btop
.
btop
Press
ESC
key to see menu and selectOPTIONS
.Change theme to TTY.
Change Theme Background to
False
.Change time interval to 1000ms.
Change the default editor to vim
.
sudo update-alternatives --config editor
Change vim
to be mouse interactive.
echo "set mouse=a" > ~/.vimrc
πͺ Change Default SSH Port
Useful when you have multiple machines running on the same IP address.
sudo vim /etc/ssh/sshd_config
Uncomment #Port 22
and change it to your modified ssh port.
Restart the sshd
service.
sudo systemctl restart sshd
π§ Firewall Configuration
Confirm UFW is disabled before blocking everything or you could be disconnected.
sudo ufw disable
sudo ufw status
Configure the firewall.
CUSTOM_SSH_PORT= # Default: 22
MOSH_STARTING_PORT= # Default: 60000
MOSH_ENDING_PORT= # Default: 61000
sudo ufw default deny incoming comment 'Deny all incoming traffic'
sudo ufw default allow outgoing comment 'Allow all outgoing traffic'
sudo ufw allow ${CUSTOM_SSH_PORT} comment 'Allow custom ssh in'
sudo ufw allow ${MOSH_STARTING_PORT}:${MOSH_ENDING_PORT}/udp comment 'Allow Mosh in'
Edit the UFW settings to disable IPV6. This isn't for any particular security reason, it just makes the UFW status easier to read when it prints out on screen.
sudo vim /etc/default/ufw
Change IPV6
to no
.
IPV6=no
Enable UFW.
# <USE --FORCE TO STOP THE PROMPT ASKING IF YOU WANT TO ENABLE>
sudo ufw --force enable
sudo ufw status verbose
π
noatime
By default, Linux will write a new file timestamp on every read. As you may imagine, this is no bueno for database applications like an Ethereum node.
You can increase the lifetime of your SSD - and incidentally get a small speed boost - by turning this "atime" feature off. [1]
sudo vim /etc/fstab
Find the entry for your /
filesystem.
# BEFORE
# /dev/disk/by-id/dm-uuid-LVM-u1...i3uPy21O / ext4 defaults 0 1
# AFTER
/dev/disk/by-id/dm-uuid-LVM-u1...i3uPy21 / ext4 defaults,noatime 0 1
Don't delete any parameters, just add ,noatime
. And make sure to add that to the 4th column, not anywhere else.
Save the file, and if the following command then runs without any errors, the configuration is correct.
sudo mount -o remount /
π Turn off swap
If you have a lot of RAM you can turn off swap completely. [2]
sudo swapoff -a
sudo vim /etc/fstab
Find the entry for your /
filesystem.
# BEFORE
/swapfile swap swap defaults 0 0
# AFTER
#/swapfile swap swap defaults 0 0
ποΈ cpupower
Some CPUs have a power saving feature that reduces their speed when not in use. This doesn't work well for Ethereum nodes as the time between blocks can cause CPUs to slow down... only to need them to speed back up again when a block arrives.
cpupower
# <INSTALL THE VERSION IT THEN SUGGESTS>
sudo apt-get install -y <SUGGESTED_VERSION>
cpupower frequency-info
# <CHECK THAT THIS ROW EXISTS>
# available cpufreq governors: performance powersave
If the performance option exists, set that.
sudo cpupower frequency-set -g performance
Then create a service to set performance
after reboot as that setting doesn't persist on its own.
sudo vim /etc/systemd/system/cpupower.service
[Unit]
Description=Set CPU governor to performance
[Service]
Type=oneshot
ExecStart=/usr/bin/cpupower frequency-set -g performance
[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable cpupower.service
sudo systemctl status cpupower.service
π Use all Available Disk Space
sudo lvdisplay # Check your logical volume size
sudo lvm # Attach the lvm console
lvextend -l +100%FREE /dev/ubuntu-vg/ubuntu-lv
lvextend -l +100%FREE -r /dev/ubuntu-vg/ubuntu-lv
exit
sudo resize2fs /dev/ubuntu-vg/ubuntu-lv
df -h # Check results
π«£ Hide Welcome Message on Login
Some of the messages are useful so I don't want to hide everything, but some are annoying.
Hide parts of the message by making the template non-executable
.
sudo chmod -x /etc/update-motd.d/10-help-text
sudo chmod -x /etc/update-motd.d/50-motd-news
β±οΈ Increases Service Shutdown Timer
I was concerned that the default time of 180 seconds wouldn't be long enough for all the services running to gracefully shutdown.
The shutdown time can be individually set on each service, but this is a catch-all.
sudo vim /etc/systemd/system.conf
Uncomment out the line #DefaultTimeoutStopSec=90s
and change it to 1200s
.
π Brute-Force SSH Protection
To protect your server from brute-force SSH connection attempts, you can install fail2ban
which will monitor incoming connections and block IP addresses that try to log in with faulty credentials repeatedly.
sudo apt-get install -y fail2ban
sudo vim /etc/fail2ban/jail.d/ssh.local
If you're using a non-standard SSH port that isn't 22
then you will need to change that in the cofig file below.
[sshd]
enabled = true
banaction = ufw
port = <SSH_PORT>
filter = sshd
logpath = %(sshd_log)s
maxretry = 5
You can change the maxretry
setting, which is the number of attempts it will allow before locking the offending address out.
Save the file and restart the service.
sudo systemctl restart fail2ban
π± SSH Security - 2FA
Install the Google Authenticator module on your node with this command:
sudo apt-get install -y libpam-google-authenticator
Now tell the PAM
(pluggable authentication modules) to use this module.
sudo vim /etc/pam.d/sshd
Find @include common-auth
(it should be at the top) and comment it out by adding a #
in front of it, so it looks like this:
# Standard Un*x authentication.
#@include common-auth
Next, add these lines to the top of the file:
# Enable Google Authenticator
auth required pam_google_authenticator.so
Then save and exit.
Now that PAM
knows to use Google Authenticator, the next step is to tell sshd
to use PAM
.
sudo vim /etc/ssh/sshd_config
Now change the line KbdInteractiveAuthentication no
to KbdInteractiveAuthentication yes
so it looks like this:
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication yes
(Older versions of SSH call this option ChallengeResponseAuthentication
instead of KbdInteractiveAuthentication
.)
Add the following line to the bottom of the file, which indicates to sshd
that it needs both an SSH key and the Google Authenticator code:
AuthenticationMethods publickey,keyboard-interactive
Every option added to AuthenticationMethods
will be required when you log in. So you can choose e.g. 2FA and password, or a combination of all three methods.
publickey
(SSH key)password
(password)keyboard-interactive
(2FA verification code)
Then save and exit.
Now that sshd
is set up, we need to create our 2FA codes. In your terminal, run:
google-authenticator
First, it will ask you about time-based tokens. Say y
to this question:
Do you want authentication tokens to be time-based: y
You will now see a big QR code on your screen; scan it with your Google Authenticator app to add it. You will also see your secret and a few backup codes looking like this:
Your new secret key is: IRG2TALMR5U2LK5VQ5AQIG3HA4
Your verification code is 282436
Your emergency scratch codes are:
29778030
86888537
50553659
41403052
82649596
Finally, it will ask you for some more parameters; the recommended defaults are as follows:
Do you want me to update your "/<username>/.google_authenticator" file: y
Do you want to disallow multiple uses of the same authentication token: y
By default... < long story about time skew > ... Do you want to do so: n
Do you want to enable rate-limiting: y
Once you're done, restart sshd
so it grabs the new settings:
sudo systemctl restart ssh
When you try to SSH into your server with your SSH keys, you should now also be asked for a 2FA verification code, but not for a password.
π³ Install Docker
# Update the package index
sudo apt-get update -y
# Install packages to allow apt to use a repository over HTTPS
sudo apt-get install -y \
apt-transport-https \
ca-certificates \
gnupg \
lsb-release
# Add Docker's official GPG key
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
# Set up the stable repository
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Update the package index again
sudo apt-get update -y
# Install the latest version of Docker Engine and containerd
sudo apt-get install -y docker-ce docker-ce-cli containerd.io
# To use Docker without sudo, add your current user to the docker group
sudo usermod -aG docker $USER
Log out and log back in or restart your machine for the group membership to take effect. You should now be able to run Docker commands without sudo
.
π¦ Git Configuration
Edit the Git configuration.
vim ~/.gitconfig
Add this to the [alias]
section for a pretty view of commit tree for current branch.
[alias] tree = log --color --graph --pretty=format:'%Cred%h%Creset -%C(bold magenta)%d%Creset %s %C(cyan)(%cr)%C(bold blue) <%an> %Creset' --date=relative --abbrev-commit --all
[alias] tree-current = log --color --graph --pretty=format:'%Cred%h%Creset -%C(bold magenta)%d%Creset %s %C(cyan)(%cr)%C(bold blue) <%an> %Creset' --date=relative --abbrev-commit --all
Then run these commands in a directory using Git to see a pretty view of the commit tree.
git tree
git tree-current
π Systemd Journal Logs
The systemd services create logs that grow over time. It is possible to clear the logs to free up disk space on your server. The following steps will delete existing log data.
Be careful if you require this data for debugging purposes.
Check the amount of disk space the logs are using.
sudo journalctl --disk-usage
To clear the logs use the following command.
The
--flush
flag flushes the logs currently in memory onto the disk.The
--rotate
flag archives the existing logs so they canβt be written to anymore and starts new logs for each service.The
--vacuum-time
flag deletes log data that is older than28 days
.
sudo journalctl --flush --rotate
sudo journalctl --vacuum-time=28days
It is recommended to check the logs are in a good state after the vacuum operation.
Each log should have a status of PASS
.
sudo journalctl --verify
To have the system automatically keep log data to a specified max size complete the following additional steps.
Open the systemd journal service configuration file.
sudo vim /etc/systemd/journald.conf
Edit the file to set the maximum disk space that can be used by the journal in persistent storage.
Remove the #
from the line SystemMaxUse
and add a value in megabytes, say 10000M
.
Restart the journald
after updating the file.
sudo systemctl restart systemd-journald
Journal logs will now be limited to 1000MB in size.
Success! The staking machine is now ready to install the client software π₯³
Last updated