security-maintenance.md

Guide on how to do security and maintenance for an Ethereum validator's machine

Your staking machine is unsafe like many others, but we can help it. Just like with many things in life, you are consistently being exposed to risks you might not even know about. You can spend a very large amount of time, efforts and money and still be exposed to many risks. The rabbit hole goes deep. This guide is a first plunge into the world of security and maintenance to give you a foundation for your own Ethereum validator's machine.

The following suggestions are general tips that can apply to many different environments and use cases. Security can be subjective. What feels safe or safer for someone can be quite different from someone else. As you start looking at these risks from different angles, you may find alternative solutions that have their own pros and cons.

This is not an exhaustive list of all the security practices someone who runs a validator or who handles cryptocurrencies should use. We have a reference section with additional security practices you should be looking at as well.

Using a good operating system

Risks

• Using an operating system that is hard to secure or hard to maintain.
• Using an operating system that has poor default configuration values.
• Using an operating system that has weak support or that has a weak community.
• Using an operating system that exposes you to unnecessary risks.

If you do not know which operating system (OS) to use for your staking machine, use Ubuntu 22.04 Desktop. If you are familiar with the command line interface (CLI) and manually typing commands in a terminal, I suggest you use Ubuntu 22.04 Server. Ubuntu 22.04 is a long term support (LTS) release. It will be supported until 2032 which gives you a peace of mind.

While you can use MacOS or Windows to run your staking machine, I would recommend against it. They will expose you to additional risks and they are harder to manage in terms of security and general maintenance.

There are various other good Linux distributions that can work, but the rest of this guide will assume you are using Ubuntu 22.04. If you know what you are doing and you are familiar with Linux, you should still be able to follow even if you used another modern Linux distribution.

Installing a modern Linux operating system on your own machine is often as simple as:

1. Downloading the OS image.
2. Copying the OS image on a USB drive and making it bootable. Rufus or Etcher are two good tools to accomplish this.
3. Plugging in that USB drive, rebooting your machine and booting your machine from that USB drive. That last part can be somewhat tricky depending on your boot sequence and your motherboard. On many modern PC, you can press and hold the F2 key on your keyboard after a reboot to enter your BIOS. From there, you can select on which device or drive to boot from or you can change the boot sequence order. On Mac, you can press and hold the Option (⌥) key immediately upon hearing the startup chime to enter the Startup Manager and select which device or drive to boot from. In case of doubts, refer to your machine manual, your motherboard manual or get in touch with the ETHStaker community.

Using a dedicated machine

Risks

• Exposing your machine to unrelated daily usage risks.
• Starving your staking machine resources.
• Unexpected or inopportune machine reboots.

Securing your remote access

Risks

• Unauthorized or unintended remote access to your machine.

If you are using SSH to remotely access your machine, you should configure your server to authenticate with keys and disable password authentication.

Securing your network with a firewall

Risks

• Unauthorized or unintended remote access to your machine.

Securing the machine you use to remote connect with

Risks

• Unauthorized or unintended remote access to your machine.

Performing your system updates regularly

Performing your application updates regularly

Using a live patching service

Risks

• Using a kernel that has vulnerabilities between updates or reboots.
• Missing important staking rewards during reboots.

Ubuntu and Canonical offers a live patching service called Livepatch which is free for up to 3 machines.

Limiting the installed applications and running processes

Limiting the users who can access your machine

Using disk encryption

Risks

• Physical data theft
• Unintended slashing

Good security and maintenance references

• Protecting Yourself and Your Funds by Jennicide and MyCrypto.
• Security Best Practices for a ETH staking validator node by CoinCashew.
• Ethereum 2.0 Node Security Discussion by CryptoManufaktur.
• MyCrypto’s Security Guide For Dummies And Smart People Too by MyCrypto.
• Guide: Crypto Wallet Tips 101 - Do's and Don'ts by CoinCashew.

Support

If you have any question or if you need additional support, make sure to get in touch with the ETHStaker community on:

• Discord: discord.io/ethstaker
• Reddit: reddit.com/r/ethstaker