Step 2: Configuring Node

Step 2: Configuring Node

Security is paramount for node operators. A compromised server can lead to loss of validator keys, slashing, or the node being used for malicious attacks.

In this step, we will create a dedicated service user, secure remote access, and configure the firewall.

1. Create the ethereum Service User

Running services as root is a security risk. We will create a dedicated user named ethereum to run our node software.

Bash

# Create the user with a home directory
sudo adduser --disabled-password --gecos "" ethereum

# (Optional) Add to sudo group if you plan to manage the server with this user
sudo usermod -aG sudo ethereum

2. Configure Directory Structure

We will organize the Execution and Consensus data within the ethereum user's home directory. This keeps permissions clean and backups simple.

💡 Note: While we use /home/ethereum for this guide, you can configure these paths to point to a separate mounted drive (e.g., /mnt/nvme/ethereum) if your storage is on a different partition.

Run the following to create the structure and set permissions:

Bash

# Create directories for EL, CL, and Authentication
sudo mkdir -p /home/ethereum/execution
sudo mkdir -p /home/ethereum/consensus
sudo mkdir -p /home/ethereum/jwt

# Set ownership to the ethereum user
sudo chown -R ethereum:ethereum /home/ethereum
sudo chmod 700 /home/ethereum

3. Generate JWT Secret

The Execution Client (EL) and Consensus Client (CL) communicate via an authenticated port (Engine API). They need a shared secret token to talk to each other.

Bash

# Generate the secret
openssl rand -hex 32 | sudo tee /home/ethereum/jwt/jwt.hex

# Secure the file (Read-only for the owner)
sudo chmod 600 /home/ethereum/jwt/jwt.hex
sudo chown ethereum:ethereum /home/ethereum/jwt/jwt.hex

4. System Hardening (SSH)

We will now secure remote access by enforcing Key-Based Authentication and disabling password logins.

⚠️ Critical Warning: Ensure you have added your SSH Public Key (id_rsa.pub) to the server before running these commands, or you will lock yourself out.

A. Add your SSH Key (If not already done) From your local machine:

Bash

ssh-copy-id ethereum@<your-server-ip>

B. Modify SSH Configuration Edit the SSH daemon config file:

Bash

sudo nano /etc/ssh/sshd_config

Find and modify the following lines to match these settings:

Ini, TOML

# Disable Root Login
PermitRootLogin no

# Disable Password Authentication (Force Key-Pair)
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

# (Optional) Change Default Port to reduce log spam
# Port 22000

C. Restart SSH Service Apply the changes. Do not close your current terminal until you have verified you can log in via a new terminal window.

Bash

sudo systemctl restart ssh

5. Firewall Configuration (UFW)

We strictly whitelist only the ports required for the node to function.

Bash

# 1. Deny all incoming traffic by default
sudo ufw default deny incoming
sudo ufw default allow outgoing

# 2. Allow SSH (Port 22, or your custom port from step 4)
sudo ufw allow 22/tcp

# 3. Execution Layer P2P (Listening for peers)
sudo ufw allow 30303/tcp
sudo ufw allow 30303/udp

# 4. Consensus Layer P2P (Listening for peers)
sudo ufw allow 9000/tcp
sudo ufw allow 9000/udp

# 5. Enable the firewall
sudo ufw enable

🛡️ Security Check: Note that we did NOT open ports 8545 (HTTP JSON-RPC) or 8551 (Engine API). These ports grant administrative control over your node and should never be exposed to the public internet without a reverse proxy (Nginx) and authentication.

✅ Checklist: Ready for Client Installation?

• [ ] User ethereum created.

• [ ] Directories created in /home/ethereum.

• [ ] jwt.hex generated.

• [ ] SSH is secured (Keys only).

• [ ] Firewall is active.