main
nico 2 years ago
parent 0279074e00
commit eaa78c4c61
  1. 97
      README.md
  2. 184
      regular/Installation.md
  3. 23
      regular/config/config.toml
  4. 0
      regular/config/genesis.json
  5. 33
      regular/config/log-config.xml
  6. 163
      rpc/Installation.md
  7. 25
      rpc/config/config.toml
  8. 4
      rpc/config/genesis.json
  9. 33
      rpc/config/log-config.xml
  10. 2
      start_node.sh
  11. 255
      validator/Installation.md
  12. 23
      validator/config/config.toml
  13. 127
      validator/config/genesis.json
  14. 33
      validator/config/log-config.xml
  15. 455
      validator/server/setup.md

@ -1,86 +1,73 @@
# Node-Install
# KalyChain Setup for Nodes, Validators & RPC Services
Instructions for Exchanges and Developers on how to run a KalyChain node.
Developers please see Server Setup before proceding.
- Visit [What is KalyChain](https://kalychain.io/) page to know more about us.
# Install OpenJDK-17 Dependency
This page contains technical information needed to add a node on KalyChain
'sudo apt install openjdk-17-jre-headless -y'
## System requirements
# Download The Binary
**Operating System**: Ubuntu 20.04 LTS 64 bits
'wget https://github.com/KalyCoinProject/kalychain/releases/download/22.10.3/kaly-22.10.3.zip
sudo apt install unzip -y && unzip kaly-22.10.3.zip
sudo mv kaly-22.10.3 kaly && rm kaly-22.10.3.zip'
**Hardware**:
# Download The Genesis File
| Hardware | minimum | desired |
| :------------- | :------ | :------ |
| **CPU's**: | 2 | 4 |
| **Memory**: | 4 Gb | 8 Gb |
| **Hard Disk**: | 100 Gb | 1000 Gb |
Clone this repo
### TCP/UDP PORTS
'git clone https://git.cipherlabs.org/KalyChain/Node-Install'
You'll need to open the following ports in both ways to deploy a node:
Make a Data Directory
'mkdir node && mkdir node/data'
#### Validator Node
*Note
In this example the node/data directories are where the blockchain and genesis file will be stored. You can choose to store these files in other locations based on your setup. If you change the location of these files then you will need to update the paths when starting the node.
| Port | Type | To | Definition |
| :---: | :--: | :-----------: | :------------------------------------------- |
| 30303 | TCP | 0.0.0.0 | Ethereum client listener and discovery ports |
| 30303 | UDP | 0.0.0.0 | Ethereum client listener and discovery ports |
Copy the genesis file to the new node directory *do not use sudo, for testnet replace genesis.json with genesis_Testnet.json
'cp Node-Install/genesis/genesis.json node/genesis.json'
#### Regular/RPC Node
| Port | Type | To | Definition |
| :---: | :--: | :---------------------------------: | :------------------------------------------- |
| 30303 | TCP | 0.0.0.0 | Listener and discovery ports |
| 30303 | UDP | 0.0.0.0 | Listener and discovery ports |
| 8545 | TCP | 0.0.0.0 (this can be internal only) | RPC HTTP Port |
| 8546 | TCP | 0.0.0.0 (this can be internal only) | RPC WS Port |
# Start KalyChain Mainnet
This repo cantains a bash script that will
*Create a KalyChain systemd Service File
*Start the KalyChain systemd Service
*Enable KalyChain to start on system start
## Installation & configuration
After cloning this repo edit 'node/../kaly/bin/besu --data-path=data --genesis-file=./genesis.json' on line 17 of 'start_node.sh' if you have change the paths to the binary, data file or genesis locations.
### Server Setup
The make the file exicutable with
'chmod +x start_node.sh'
Start with server setup in the _server_ directory
Run this command to exicute the script and start the node.
'./start_node.sh'
- [Server Setup Guide](server/setup.md)
Verify the node is running with 'sudo systemctl status kaly.service'
### Regular node
If you do not wish to stup a systemd service for KalyChain use this command to start the node
Use the _regular_ directory
'../kaly/bin/besu --data-path=data --genesis-file=./genesis.json --bootnodes=enode://bd1782617ae151ba6da627a35a1babc0a40ae127a718cdc13322acb357411f095d56db6141c99d7f8b63b7ce896ffffbadea34a4471bca297c916a94e1d9b818@169.197.143.193:30303 enode://3ea0e690890c824cb39867c9da0e201764ecd2960c2609ecceb40b3e48d374424f791d32d87eaf7430249649b5c45673178454455b22b133458afc5ddf126c3a@169.197.143.209:30303 --p2p-port=30303 --rpc-http-enabled=true --rpc-http-api=ETH,NET,WEB3,TRACE,TXPOOL --rpc-ws-enabled=true --rpc-ws-api=ETH,NET,WEB3,TRACE,TXPOOL --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-ws-host=0.0.0.0 --revert-reason-enabled=true'
- [Regular node Installation Guide](regular/Configuration&Installation.md)
The above comand assumes you want to run an RPC node with WebSockets enabled. The available API options are: ADMIN, DEBUG, EEA, ETH, NET, QBFT, TRACE, TXPOOL, and WEB3. The default is: ETH, NET, WEB3.
### RPC node
Update '--rpc-http-enabled=true --rpc-http-api=ETH,NET,WEB3,TRACE,TXPOOL --rpc-ws-enabled=true --rpc-ws-api=ETH,NET,WEB3,TRACE,TXPOOL' to fit your use case, for example you can remove '--rpc-ws-enabled=true --rpc-ws-api=ETH,NET,WEB3,TRACE,TXPOOL' if you are not using WebSockets in your appliaction.
Use the _rpc_ directory
Validators and or nodes who do not wish to provide RPC services can run
- [RPC and WebSocket Guide](rpc/Configuration&Installation.md)
'../kaly/bin/besu --data-path=data --genesis-file=./genesis.json --bootnodes=enode://bd1782617ae151ba6da627a35a1babc0a40ae127a718cdc13322acb357411f095d56db6141c99d7f8b63b7ce896ffffbadea34a4471bca297c916a94e1d9b818@169.197.143.193:30303 enode://3ea0e690890c824cb39867c9da0e201764ecd2960c2609ecceb40b3e48d374424f791d32d87eaf7430249649b5c45673178454455b22b133458afc5ddf126c3a@169.197.143.209:30303 --p2p-port=30303 --rpc-http-enabled --rpc-http-api=ETH,NET,QBFT --host-allowlist="*" --rpc-http-cors-origins="all"'
### Validator node
Update '--host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-host=0.0.0.0 --rpc-ws-host=0.0.0.0' accourdingly for your setup.
Use the _validator_ directory
# Start KalyChain In Development or Testnet
- [Validator node Installation Guide](validator/Installation.md)
In development or testnet you can use Tmux
Install Tmux
sudo apt install tmux
## Important links
Creat Named Tmux Session
tmux new -s kaly_chain
Start the KalyChain Node
cd node
Use this command to start the KalyChain Testnet Node
'../kaly/bin/besu --data-path=data --genesis-file=./genesis.json --bootnodes=enode://4a8d940d8e2100b04923d0b0a3fb4fb7075e239185593e52d0df7f9549c555b433b3118ca60a4012cde841b451c8b10bb934dd6fdc98e612a18baf13dacbe922@38.91.102.7:30303 enode://efff0692ee2c0cad9e1ddbd6e2c2143577c681827f4424a9ebf0aea315ca690c59a95a8b2de0088e652687f10d28f72b4c1eb5ccaefdf77c2e98984c3786c39d@169.197.143.143:30303 --p2p-port=30303 --rpc-http-enabled=true --rpc-http-api=ETH,NET,WEB3,TRACE,TXPOOL --rpc-ws-enabled=true --rpc-ws-api=ETH,NET,WEB3,TRACE,TXPOOL --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-ws-host=0.0.0.0 --revert-reason-enabled=true'
You should now see the besu clinet start and connect to the KalyChain Blockchain. While running in the tmux window you can safely logout of your server and the besu clinet will continue to run. To bring up the Kalychain window again run this command
'tmux attach-session -t kaly_chain'
See [Getting started with Tmux](https://linuxize.com/post/getting-started-with-tmux/) for more tmux command options.
- [Mainnet Block Explorer](http://kalyscan.io)
- [Testnet Block Explorer](http://testnet,kalyscan.io/)
- [Download KalyChain Binary](https://github.com/KalyCoinProject/kalychain/releases/download/22.10.3/kaly-22.10.3.zip)

@ -0,0 +1,184 @@
# Validator Node Installation (with Binaries)
This guide assumes you using the [Security Best Practices](server/setup.md) setup guide on your server.
{% hint style="warning" %} You and ONLY YOU are responisble for securing your server. The Validator private key is not encrypted! Failing to properly secure your server can result in the loss of funds. To furhter prevent the loss of funds we recomend adding the Validator private key to metmask or some other compatable web3 wallet and moving funds to a seperate address on a regular basis. {% endhint %}
## Getting Started
Login to your server via ssh as a non-root user
```bash
ssh kaly@node.ip.address
```
Install OpenJDK-17
```bash
sudo apt install openjdk-17-jre-headless -y
```
Download the binary and clean up the zip file
```bash
wget https://github.com/KalyCoinProject/kalychain/releases/download/22.10.3/kaly-22.10.3.zip
sudo apt install unzip -y && unzip kaly-22.10.3.zip
sudo mv kaly-22.10.3 kaly && rm kaly-22.10.3.zip
```
Make a data directory
```bash
mkdir node && mkdir node/data
```
{% hint style="info" %}
In this example the node/data directories are where the blockchain and genesis files will be stored. You can choose to store these files in other locations based on your setup. If you change the location of these files then you will need to update the paths when starting the node.
{% endhint %}
Copy the genesis file to the new node directory. You can find the _genesis.json_ file in the **config** directory of this repo.
```bash
cp Node-Install/regular/config/genesis.json node/genesis.json
```
## Start the KalyChain node.
In this section, a daemon will be created to start the KalyChain node in case of server crashes, unexpected restarts, etc.
{% hint style="info" %} :fire: **Pro Tip** We have included a bash script named *start_node.sh* to run these steps for you, please review it and make any changes to paths as needed for your setup. Make the file exicutable by running *chmod +x start_node.sh*
{% endhint %}
The first thing is to create the file for the besu service. To do this, the following steps will be followed.
```sh
cd /lib/systemd/system
sudo nano kalynode.service
```
The following variables will be put in this file: `StartLimitBurst` and `RestartSec` will cause it to make 5 restart attempts every 10s and if it fails at all it will stop trying.
```service
[Unit]
Description=Kaly Node Service
After=network.target
StartLimitBurst=5
StartLimitIntervalSec=200
[Service]
WorkingDirectory=/home/$USER/node/
Type=simple
User=$USER
Group=$USER
ExecStart=/home/$USER/node/../kaly/bin/besu --config-file=/Node-Install/regular/config/config.toml
Restart=always
RestartSec=30
[Install]
WantedBy=multi-user.target
```
Once the _kalynode.services_ file has been saved, this service is started. Run the following commands.
To let the system know that there is a new daemon that must be started at every boot, the following will be executed:
```sh
sudo systemctl daemon-reload
sudo systemctl enable kalynode.service
```
To start the service run the following command.
```sh
sudo systemctl start kalynode.service
```
Finally, to ensure that the service is correctly started it will run:
```sh
sudo systemctl status kalynode.service
```
Getting a result like this.
```sh
● kaly.service - Kaly Node Service
Loaded: loaded (/etc/systemd/system/kaly.service; disabled; vendor preset: enabled)
Active: active (running) since Fri 2023-03-24 19:34:07 UTC; 6 days ago
Main PID: 4543 (java)
Tasks: 80 (limit: 18979)
Memory: 1.1G
CGroup: /system.slice/kaly.service
└─4543 java -Dvertx.disableFileCPResolving=true -Dbesu.home=/home/dev/besu -Dlog4j.shutdownHookEnabled=false -Dlog4j2.formatMsgNoLookups=true -Djava.util.logging.manager=org.apache.logging.l>
Mar 31 00:27:37 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:37.023+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,228 / 0 tx / 0 om / 0 (0.0%) gas / (0x8d24d427e3ed30>
Mar 31 00:27:39 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:39.005+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,229 / 0 tx / 0 om / 0 (0.0%) gas / (0xff9342efd96c96>
Mar 31 00:27:41 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:41.035+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,230 / 0 tx / 0 om / 0 (0.0%) gas / (0xd72bb1107f282f>
Mar 31 00:27:43 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:43.036+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,231 / 0 tx / 0 om / 0 (0.0%) gas / (0xa0f8820b82a734>
Mar 31 00:27:45 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:45.024+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,232 / 0 tx / 0 om / 0 (0.0%) gas / (0x4f8434013a19cf>
Mar 31 00:27:47 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:47.006+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,233 / 0 tx / 0 om / 0 (0.0%) gas / (0xd51527a085ac1a>
Mar 31 00:27:49 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:49.035+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,234 / 0 tx / 0 om / 0 (0.0%) gas / (0x417fbca71bf666>
Mar 31 00:27:51 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:51.036+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,235 / 0 tx / 0 om / 0 (0.0%) gas / (0x905f30530e8d85>
Mar 31 00:27:53 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:53.025+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,236 / 0 tx / 0 om / 0 (0.0%) gas / (0xbd8759087cca61>
Mar 31 00:27:55 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:55.007+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,237 / 0 tx / 0 om / 0 (0.0%) gas / (0x0869b88844d601>
```
**Optional**
In order to control the Validator logs, KalyChain allows you to [configure your logs](https://besu.hyperledger.org/en/stable/public-networks/how-to/monitor/logging/) thanks to [log4j2](https://logging.apache.org/log4j/2.x/manual/configuration.html), being able to change the format in which you take them out, if you make rotations, if you compress the new files, how many you save and where you save them, etc. To do this, a file called **log-config.xml** is stored in _config_.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="INFO" monitorInterval="5">
<Properties>
<Property name="root.log.level">INFO</Property>
</Properties>
<Appenders>
<Console name="Console" target="SYSTEM_OUT">
<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSSZZZ} | %t | %-5level | %c{1} | %msg %throwable{short.message}%n" />
</Console>
<RollingFile name="RollingFile" fileName="/kaly/besu/logs/besu.log" filePattern="/kaly/besu/logs/besu-%d{yyyyMMdd}-%i.log.gz" >
<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSSZZZ} | %t | %-5level | %c{1} | %msg %throwable{short.message}%n" />
<!-- Logs in JSON format
<PatternLayout alwaysWriteExceptions="false" pattern='{"timestamp":"%d{ISO8601}","container":"${hostName}","level":"%level","thread":"%t","class":"%c{1}","message":"%msg","throwable":"%enc{%throwable}{JSON}"}%n'/>
-->
<Policies>
<OnStartupTriggeringPolicy minSize="10240" />
<TimeBasedTriggeringPolicy />
<SizeBasedTriggeringPolicy size="50 MB"/>
</Policies>
<DefaultRolloverStrategy max="365" />
</RollingFile>
</Appenders>
<Loggers>
<Root level="${sys:root.log.level}">
<AppenderRef ref="Console" />
<AppenderRef ref="RollingFile" />
</Root>
</Loggers>
</Configuration>
```
In this case, the configuration that has been decided on is as follows.
- Both for the logs displayed on the console and for those stored in the rotated files will be the standard (can be changed to _json_ format or other formats allowed by the tool).
- It will generate a rotated log file when
- The Besu Service is restarted whenever the file size is greater than 10 KB (`OnStartupTriggeringPolicy minSize="10240"`).
- Once a day (`TimeBasedTriggeringPolicy`).
- When the log file, if not spent a day, occupies more than 50 MB (`SizeBasedTriggeringPolicy size="50 MB"`).
- You will save 365 log files in a compressed format. Once the 365 files have passed, you will start deleting the first ones you created (`DefaultRolloverStrategy max="365"`).
```
If you use this setup for log rotation:
Add the environment variable `LOG4J_CONFIGURATION_FILE` to the kalynode.service file by adding this line.
```bash
Environment=LOG4J_CONFIGURATION_FILE=/Node-Install/regular/config/log-config.xml
```
You can view the log file you have generated with this command.
```sh
tail -f besu.log
```

@ -0,0 +1,23 @@
# Valid TOML config file
data-path="/node/data"
logging="INFO"
#Network
bootnodes=["enode://bd1782617ae151ba6da627a35a1babc0a40ae127a718cdc13322acb357411f095d56db6141c99d7f8b63b7ce896ffffbadea34a4471bca297c916a94e1d9b818@169.197.143.193:30303","enode://3ea0e690890c824cb39867c9da0e201764ecd2960c2609ecceb40b3e48d374424f791d32d87eaf7430249649b5c45673178454455b22b133458afc5ddf126c3a@169.197.143.209:30303"]
node-private-key-file="/node/data"
# Chain
genesis-file="/node/genesis.json"
rpc-http-api=["ETH","NET","WEB3"]
rpc-http-enabled=true
rpc-http-host="0.0.0.0"
host-whitelist=["*"]
# WS
rpc-ws-enabled=true
# Metrics
metrics-enabled=true
metrics-host="0.0.0.0"
metrics-port="9545"

@ -0,0 +1,33 @@
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="INFO" monitorInterval="5">
<Properties>
<Property name="root.log.level">INFO</Property>
</Properties>
<Appenders>
<Console name="Console" target="SYSTEM_OUT">
<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSSZZZ} | %t | %-5level | %c{1} | %msg %throwable{short.message}%n" />
</Console>
<RollingFile name="RollingFile" fileName="/kaly/besu/logs/besu.log" filePattern="/kaly/besu/logs/besu-%d{yyyyMMdd}-%i.log.gz" >
<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSSZZZ} | %t | %-5level | %c{1} | %msg %throwable{short.message}%n" />
<!-- Logs in JSON format
<PatternLayout alwaysWriteExceptions="false" pattern='{"timestamp":"%d{ISO8601}","container":"${hostName}","level":"%level","thread":"%t","class":"%c{1}","message":"%msg","throwable":"%enc{%throwable}{JSON}"}%n'/>
-->
<Policies>
<OnStartupTriggeringPolicy minSize="10240" />
<TimeBasedTriggeringPolicy />
<SizeBasedTriggeringPolicy size="50 MB"/>
</Policies>
<DefaultRolloverStrategy max="365" />
</RollingFile>
</Appenders>
<Loggers>
<Root level="${sys:root.log.level}">
<AppenderRef ref="Console" />
<AppenderRef ref="RollingFile" />
</Root>
</Loggers>
</Configuration>

@ -0,0 +1,163 @@
# RPC Node Setup
This guide assumes you using the [Security Best Practices](server/setup.md) setup guide on your server.
We are providing this guide to encourage developers to run thier own RPC nodes whenever posible. KalyChain community members who wish to support the network can run an RPC node for KalyChain to support the network by providing additional public RPC nodes.
## Getting Started
Follow the [Installation Guide](regular/Installation.md) just as you would with a regular node execpt change the kalynode.service file line
```sh
ExecStart=/home/$USER/node/../kaly/bin/besu --config-file=/Node-Install/regular/config/config.toml
```
To this so it reads the proper _config.toml_ file for RPC nodes
```sh
ExecStart=/home/$USER/node/../kaly/bin/besu --config-file=/Node-Install/rpc/config/config.toml
```
{% hint style="info" %} :fire: **Pro Tip** The included a bash script *start_node.sh* is already setup to start your node with RPC services. Make the file exicutable by running *chmod +x start_node.sh*
{% endhint %}
## Point your Domain
To use a domain name with your RPC service you'll need to create an A record that points to your node's IP address. Sub-doamins are also allowed.
[NameCheap Guide](https://www.namecheap.com/support/knowledgebase/article.aspx/319/2237/how-can-i-set-up-an-a-address-record-for-my-domain/)
[GoDaddy Guide](https://www.godaddy.com/help/add-an-a-record-19238)
## Setup Nginx Reverse Proxy
Install Nginx
```sh
sudo apt install nginx
```
Adjust your firewall rules
```sh
sudo ufw allow 'Nginx FULL'
```
Create a server block so Nginx can serve RPC and WS calls, replace *your_domain* with the domain name you pointed to the server.
```sh
sudo nano /etc/nginx/sites-available/your_domain
```
Paste in the following configuration
```sh
server {
server_name your_domain;
location ^~ /ws {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://0.0.0.0:8546/;
}
location ^~ /rpc {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://0.0.0.0:8545/;
}
}
```
{% hint style="warning" %}
Dont forget replace *your_domain* with your domain name before saving
{% endhint %}
Create a link from the file to the *sites-enabled* directory
```sh
sudo ln -s /etc/nginx/sites-available/your_domain /etc/nginx/sites-enabled/
```
Test to make sure that there are no syntax errors in your Nginx files
```sh
sudo nginx -t
```
If there are no errors restart Nginx to enable the changes
```sh
sudo systemctl restart nginx
```
## Get a free SSL certificate with Let's Encrypt
Install Certbot and the Nginx plugin
```sh
sudo apt install certbot python3-certbot-nginx
```
Get the SSL Cert for your domain
```sh
sudo certbot --nginx -d example.com
```
If that’s successful, certbot will ask how you’d like to configure your HTTPS settings.
```sh
Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
```
Select your choice then hit ENTER
A message telling you the process was successful and where your certificates are stored will show on screen:
```sh
Output
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2020-08-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
```
## Share your new RPC service
For JSON-RPC calls use:
```sh
https://example.com/rpc
```
For WebSocet use:
```sh
https://example.com/ws
```

@ -0,0 +1,25 @@
# Valid TOML config file
data-path="/node/data"
logging="INFO"
#Network
bootnodes=["enode://bd1782617ae151ba6da627a35a1babc0a40ae127a718cdc13322acb357411f095d56db6141c99d7f8b63b7ce896ffffbadea34a4471bca297c916a94e1d9b818@169.197.143.193:30303","enode://3ea0e690890c824cb39867c9da0e201764ecd2960c2609ecceb40b3e48d374424f791d32d87eaf7430249649b5c45673178454455b22b133458afc5ddf126c3a@169.197.143.209:30303"]
node-private-key-file="/node/data"
# Chain
genesis-file="/node/genesis.json"
rpc-http-api=["ETH","NET","WEB3","TRACE","TXPOOL"]
rpc-http-enabled=true
rpc-http-host="0.0.0.0"
host-whitelist=["*"]
revert-reason-enabled=true
# WS
rpc-ws-enabled=true
# Metrics
metrics-enabled=true
metrics-host="0.0.0.0"
metrics-port="9545"

@ -1,6 +1,6 @@
{
"config" : {
"chainId" : 3889,
"chainId" : 3888,
"homesteadBlock" : 0,
"eip150Block" : 0,
"eip155Block" : 0,
@ -123,5 +123,5 @@
"balance" : "3570000000000000000000000000"
}
},
"extraData" : "0xf87aa00000000000000000000000000000000000000000000000000000000000000000f854947fa47fed34dd63bd76060a5dd63ef3c2b5b23de0942f5e068935deb3eb2c8210b7dfc8d9c96806c68f942aac52c8405a80b20944ae92c85c477412b4a6ed94c5d01f2fa32d12f5b25cb395a557cd74c86241a5c080c0"
"extraData" : "0xf87aa00000000000000000000000000000000000000000000000000000000000000000f85494ad4ea9b483fb8a4ed177186174ba44a41c2f36c3943e5fee8e8cb007611d6e8bab73b1368a1098674094018f86e22cc26e0318e7c00c3a738df1e5f183ac947366f751aa0fcf4d457dc52bdc9d5cd750533943c080c0"
}

@ -0,0 +1,33 @@
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="INFO" monitorInterval="5">
<Properties>
<Property name="root.log.level">INFO</Property>
</Properties>
<Appenders>
<Console name="Console" target="SYSTEM_OUT">
<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSSZZZ} | %t | %-5level | %c{1} | %msg %throwable{short.message}%n" />
</Console>
<RollingFile name="RollingFile" fileName="/kaly/besu/logs/besu.log" filePattern="/kaly/besu/logs/besu-%d{yyyyMMdd}-%i.log.gz" >
<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSSZZZ} | %t | %-5level | %c{1} | %msg %throwable{short.message}%n" />
<!-- Logs in JSON format
<PatternLayout alwaysWriteExceptions="false" pattern='{"timestamp":"%d{ISO8601}","container":"${hostName}","level":"%level","thread":"%t","class":"%c{1}","message":"%msg","throwable":"%enc{%throwable}{JSON}"}%n'/>
-->
<Policies>
<OnStartupTriggeringPolicy minSize="10240" />
<TimeBasedTriggeringPolicy />
<SizeBasedTriggeringPolicy size="50 MB"/>
</Policies>
<DefaultRolloverStrategy max="365" />
</RollingFile>
</Appenders>
<Loggers>
<Root level="${sys:root.log.level}">
<AppenderRef ref="Console" />
<AppenderRef ref="RollingFile" />
</Root>
</Loggers>
</Configuration>

@ -14,7 +14,7 @@ echo "
Group=$USER
LimitNOFILE=4096
WorkingDirectory=/home/$USER/node/
ExecStart=/home/$USER/node/../besu/bin/besu --data-path=data --genesis-file=./genesis.json --bootnodes=enode://bd1782617ae151ba6da627a35a1babc0a40ae127a718cdc13322acb357411f095d56db6141c99d7f8b63b7ce896ffffbadea34a4471bca297c916a94e1d9b818@169.197.143.193:30303 enode://3ea0e690890c824cb39867c9da0e201764ecd2960c2609ecceb40b3e48d374424f791d32d87eaf7430249649b5c45673178454455b22b133458afc5ddf126c3a@169.197.143.209:30303 --p2p-port=30303 --rpc-http-enabled=true --rpc-http-api=ETH,NET,WEB3,TRACE,TXPOOL --rpc-ws-enabled=true --rpc-ws-api=ETH,NET,WEB3,TRACE,TXPOOL --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-ws-host=0.0.0.0 --revert-reason-enabled=true
ExecStart=/home/$USER/node/../kaly/bin/besu --data-path=data --genesis-file=./genesis.json --bootnodes=enode://bd1782617ae151ba6da627a35a1babc0a40ae127a718cdc13322acb357411f095d56db6141c99d7f8b63b7ce896ffffbadea34a4471bca297c916a94e1d9b818@169.197.143.193:30303 enode://3ea0e690890c824cb39867c9da0e201764ecd2960c2609ecceb40b3e48d374424f791d32d87eaf7430249649b5c45673178454455b22b133458afc5ddf126c3a@169.197.143.209:30303 --p2p-port=30303 --rpc-http-enabled=true --rpc-http-api=ETH,NET,WEB3,TRACE,TXPOOL --rpc-ws-enabled=true --rpc-ws-api=ETH,NET,WEB3,TRACE,TXPOOL --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-ws-host=0.0.0.0 --revert-reason-enabled=true
[Install]
WantedBy=multi-user.target
" | sudo tee kaly.service

@ -0,0 +1,255 @@
# Validator Node Installation (with Binaries)
This guide assumes you using the [Security Best Practices](server/setup.md) setup guide on your server.
{% hint style="warning" %} You and ONLY YOU are responisble for securing your server. The Validator private key is not encrypted! Failing to properly secure your server can result in the loss of funds. To furhter prevent the loss of funds we recomend adding the Validator private key to metmask or some other compatable web3 wallet and moving funds to a seperate address on a regular basis. {% endhint %}
## Getting Started
Login to your server via ssh as a non-root user
```bash
ssh kaly@node.ip.address
```
Install OpenJDK-17
```bash
sudo apt install openjdk-17-jre-headless -y
```
Download the binary and clean up the zip file
```bash
wget https://github.com/KalyCoinProject/kalychain/releases/download/22.10.3/kaly-22.10.3.zip
sudo apt install unzip -y && unzip kaly-22.10.3.zip
sudo mv kaly-22.10.3 kaly && rm kaly-22.10.3.zip
```
Make a data directory
```bash
mkdir node && mkdir node/data
```
{% hint style="info" %}
In this example the node/data directories are where the blockchain and genesis files will be stored. You can choose to store these files in other locations based on your setup. If you change the location of these files then you will need to update the paths when starting the node.
{% endhint %}
Copy the genesis file to the new node directory. You can find the _genesis.json_ file in the **config** directory of this repo.
```bash
cp Node-Install/validator/config/genesis.json node/genesis.json
```
## Validator configuration
Create a new private key, public key and node address with the following commands.
```sh
cd /kaly/bin/besu
./besu --data-path=. public-key export --to=key.pub
./besu --data-path=. public-key export-address --to=nodeAddress
```
{% hint style="info" %} The oututs of each command will print the key and node address on screen, make sure your copy them to a safe place, you will need them later to be added as a Validator and to add to your wallet (metamask or other) to collect block rewards.
{% endhint %}
The keys 'key', 'key.pub' and 'nodeAddress' will have been generated and there gonna be stored in the **node/data** directory.
```sh
mv key node/data
mv key.pub node/data
mv nodeAddress node/data
```
## Start the KalyChain node.
In this section, a daemon will be created to start the KalyChain node in case of server crashes, unexpected restarts, etc.
{% hint style="info" %} :fire: **Pro Tip** We have included a bash script named *start_node.sh* to run these steps for you, please review it and make any changes to paths as needed for your setup. Make the file exicutable by running *chmod +x start_node.sh*
{% endhint %}
The first thing is to create the file for the besu service. To do this, the following steps will be followed.
```sh
cd /lib/systemd/system
sudo nano kalynode.service
```
The following variables will be put in this file: `StartLimitBurst` and `RestartSec` will cause it to make 5 restart attempts every 10s and if it fails at all it will stop trying.
```service
[Unit]
Description=Kaly Node Service
After=network.target
StartLimitBurst=5
StartLimitIntervalSec=200
[Service]
WorkingDirectory=/home/$USER/node/
Type=simple
User=$USER
Group=$USER
ExecStart=/home/$USER/node/../kaly/bin/besu --config-file=/Node-Install/validator/config/config.toml
Restart=always
RestartSec=30
[Install]
WantedBy=multi-user.target
```
Once the _kalynode.services_ file has been saved, this service is started. Run the following commands.
To let the system know that there is a new daemon that must be started at every boot, the following will be executed:
```sh
sudo systemctl daemon-reload
sudo systemctl enable kalynode.service
```
To start the service run the following command.
```sh
sudo systemctl start kalynode.service
```
Finally, to ensure that the service is correctly started it will run:
```sh
sudo systemctl status kalynode.service
```
Getting a result like this.
```sh
● kaly.service - Kaly Node Service
Loaded: loaded (/etc/systemd/system/kaly.service; disabled; vendor preset: enabled)
Active: active (running) since Fri 2023-03-24 19:34:07 UTC; 6 days ago
Main PID: 4543 (java)
Tasks: 80 (limit: 18979)
Memory: 1.1G
CGroup: /system.slice/kaly.service
└─4543 java -Dvertx.disableFileCPResolving=true -Dbesu.home=/home/dev/besu -Dlog4j.shutdownHookEnabled=false -Dlog4j2.formatMsgNoLookups=true -Djava.util.logging.manager=org.apache.logging.l>
Mar 31 00:27:37 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:37.023+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,228 / 0 tx / 0 om / 0 (0.0%) gas / (0x8d24d427e3ed30>
Mar 31 00:27:39 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:39.005+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,229 / 0 tx / 0 om / 0 (0.0%) gas / (0xff9342efd96c96>
Mar 31 00:27:41 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:41.035+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,230 / 0 tx / 0 om / 0 (0.0%) gas / (0xd72bb1107f282f>
Mar 31 00:27:43 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:43.036+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,231 / 0 tx / 0 om / 0 (0.0%) gas / (0xa0f8820b82a734>
Mar 31 00:27:45 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:45.024+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,232 / 0 tx / 0 om / 0 (0.0%) gas / (0x4f8434013a19cf>
Mar 31 00:27:47 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:47.006+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,233 / 0 tx / 0 om / 0 (0.0%) gas / (0xd51527a085ac1a>
Mar 31 00:27:49 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:49.035+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,234 / 0 tx / 0 om / 0 (0.0%) gas / (0x417fbca71bf666>
Mar 31 00:27:51 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:51.036+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,235 / 0 tx / 0 om / 0 (0.0%) gas / (0x905f30530e8d85>
Mar 31 00:27:53 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:53.025+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,236 / 0 tx / 0 om / 0 (0.0%) gas / (0xbd8759087cca61>
Mar 31 00:27:55 sea-sm5038md-h24trf-2-21 besu[4543]: 2023-03-31 00:27:55.007+00:00 | EthScheduler-Workers-0 | INFO | PersistBlockTask | Imported 268,237 / 0 tx / 0 om / 0 (0.0%) gas / (0x0869b88844d601>
```
## Adding your node as a Validator
At this time existing Validators must propose and vote to add new Validators. You must contact and admin on [discord](https://discord.gg/bvtm6dUf) or [telegram](https://t.me/+yj8Ae9lNXmg1Yzkx), providing this information for your node:
**1. ENODE:** String ENODE from ENODE_ADDRESS (enode://ENODE@IP:30303)
**2. Public IP:** The external IP of your node.
**3. System details:** Hosting provider, number of cores (vCPUs), RAM Memory and Hard disk size.
Follow these steps to get the information that you will be asked for:
* You can find the ENODE_ADDRESS using `curl -X POST --data '{"jsonrpc":"2.0","method":"admin_nodeInfo","params":[],"id":1}' http://127.0.0.1:8545`.
* Get the IP address of your node, as seen from the external world.
```sh
$ curl https://ifconfig.me/
```
You can also get the ENODE_ADDRESS if you have saved the node address from the previous steps
For example if the node public key was:
```sh
0xc35c3ec90a8a51fd5703594c6303382f3ae6b2ecb9589bab2c04b3794f2bc3fc2631dabb0c08af795787a6c004d8f532230ae6e9925cbbefb0b28b79295d615f
```
And if the IP address of your node was:
```sh
123.4.56.7
```
Then the enode URL is:
```sh
enode://c35c3ec90a8a51fd5703594c6303382f3ae6b2ecb9589bab2c04b3794f2bc3fc2631dabb0c08af795787a6c004d8f532230ae6e9925cbbefb0b28b79295d615f@123.4.56.7:30303
```
* When more than 50% of the existing validators have published a matching proposal, the protocol adds the proposed validator to the validator pool and the validator can begin validating blocks. You will then see your _nodeAddress_ on [KalyScan](https://kalyscan.io) start earning block rewards.
**Please NOTE** As a Validator you will be expected to participate in Voting for or against new Validators and maintain your server in optimal conditions. Validators who fail to keep there nodes available to validate blocks can be Voted out.
To propose adding a validator, call *qbft_proposeValidatorVote*, specifying the address of the proposed validator and true.
Example JSON-RPC call
```sh
curl -X POST --data '{"jsonrpc":"2.0","method":"qbft_proposeValidatorVote","params":["0xAE6B557E8Fb62b89F4916F720be55cEb828dBc74", true], "id":1}' <JSON-RPC-endpoint:port>
```
**Optional**
In order to control the Validator logs, KalyChain allows you to [configure your logs](https://besu.hyperledger.org/en/stable/public-networks/how-to/monitor/logging/) thanks to [log4j2](https://logging.apache.org/log4j/2.x/manual/configuration.html), being able to change the format in which you take them out, if you make rotations, if you compress the new files, how many you save and where you save them, etc. To do this, a file called **log-config.xml** is stored in _config_.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="INFO" monitorInterval="5">
<Properties>
<Property name="root.log.level">INFO</Property>
</Properties>
<Appenders>
<Console name="Console" target="SYSTEM_OUT">
<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSSZZZ} | %t | %-5level | %c{1} | %msg %throwable{short.message}%n" />
</Console>
<RollingFile name="RollingFile" fileName="/kaly/besu/logs/besu.log" filePattern="/kaly/besu/logs/besu-%d{yyyyMMdd}-%i.log.gz" >
<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSSZZZ} | %t | %-5level | %c{1} | %msg %throwable{short.message}%n" />
<!-- Logs in JSON format
<PatternLayout alwaysWriteExceptions="false" pattern='{"timestamp":"%d{ISO8601}","container":"${hostName}","level":"%level","thread":"%t","class":"%c{1}","message":"%msg","throwable":"%enc{%throwable}{JSON}"}%n'/>
-->
<Policies>
<OnStartupTriggeringPolicy minSize="10240" />
<TimeBasedTriggeringPolicy />
<SizeBasedTriggeringPolicy size="50 MB"/>
</Policies>
<DefaultRolloverStrategy max="365" />
</RollingFile>
</Appenders>
<Loggers>
<Root level="${sys:root.log.level}">
<AppenderRef ref="Console" />
<AppenderRef ref="RollingFile" />
</Root>
</Loggers>
</Configuration>
```
In this case, the configuration that has been decided on is as follows.
- Both for the logs displayed on the console and for those stored in the rotated files will be the standard (can be changed to _json_ format or other formats allowed by the tool).
- It will generate a rotated log file when
- The Besu Service is restarted whenever the file size is greater than 10 KB (`OnStartupTriggeringPolicy minSize="10240"`).
- Once a day (`TimeBasedTriggeringPolicy`).
- When the log file, if not spent a day, occupies more than 50 MB (`SizeBasedTriggeringPolicy size="50 MB"`).
- You will save 365 log files in a compressed format. Once the 365 files have passed, you will start deleting the first ones you created (`DefaultRolloverStrategy max="365"`).
```
If you use this setup for log rotation:
Add the environment variable `LOG4J_CONFIGURATION_FILE` to the kalynode.service file by adding this line.
```bash
Environment=LOG4J_CONFIGURATION_FILE=/Node-Install/validator/config/log-config.xml
```
You can view the log file you have generated with this command.
```sh
tail -f besu.log
```

@ -0,0 +1,23 @@
# Valid TOML config file
data-path="/node/data"
logging="INFO"
#Network
bootnodes=["enode://bd1782617ae151ba6da627a35a1babc0a40ae127a718cdc13322acb357411f095d56db6141c99d7f8b63b7ce896ffffbadea34a4471bca297c916a94e1d9b818@169.197.143.193:30303","enode://3ea0e690890c824cb39867c9da0e201764ecd2960c2609ecceb40b3e48d374424f791d32d87eaf7430249649b5c45673178454455b22b133458afc5ddf126c3a@169.197.143.209:30303"]
node-private-key-file="/node/data"
# Chain
genesis-file="/node/genesis.json"
rpc-http-api=["ETH","NET","QBFT","WEB3","ADMIN"]
rpc-http-enabled=true
rpc-http-host="0.0.0.0"
host-whitelist=["*"]
# WS
rpc-ws-enabled=true
# Metrics
metrics-enabled=true
metrics-host="0.0.0.0"
metrics-port="9545"

@ -0,0 +1,127 @@
{
"config" : {
"chainId" : 3888,
"homesteadBlock" : 0,
"eip150Block" : 0,
"eip155Block" : 0,
"eip158Block" : 0,
"byzantiumBlock" : 0,
"constantinopleBlock" : 0,
"petersburgBlock" : 0,
"istanbulBlock" : 0,
"berlinBlock" : 0,
"londonBlock" : 0,
"qbft" : {
"blockperiodseconds" : 2,
"epochlength" : 28800,
"requesttimeoutseconds" : 4,
"blockreward" : "3000000000000000000",
"baseFeePerGas" : "0x834"
}
},
"transitions" : {
"qbft" : [ {
"block" : 4576000,
"blockreward" : "1500000000000000000"
}, {
"block" : 9152000,
"blockreward" : "750000000000000000"
}, {
"block" : 13728000,
"blockreward" : "375000000000000000"
}, {
"block" : 18304000,
"blockreward" : "187500000000000000"
}, {
"block" : 22880000,
"blockreward" : "93750000000000000"
}, {
"block" : 27456000,
"blockreward" : "46875000000000000"
}, {
"block" : 32032000,
"blockreward" : "23437500000000000"
}, {
"block" : 36608000,
"blockreward" : "11718750000000000"
}, {
"block" : 41184000,
"blockreward" : "5859375000000000"
}, {
"block" : 45760000,
"blockreward" : "2929687500000000"
}, {
"block" : 50336000,
"blockreward" : "1464843750000000"
}, {
"block" : 54912000,
"blockreward" : "732421875000000"
}, {
"block" : 59488000,
"blockreward" : "366210937500000"
}, {
"block" : 64064000,
"blockreward" : "183105468750000"
}, {
"block" : 68640000,
"blockreward" : "91552734375000"
}, {
"block" : 73216000,
"blockreward" : "45776367187500"
}, {
"block" : 77792000,
"blockreward" : "22888183593750"
}, {
"block" : 82368000,
"blockreward" : "11444091796875"
}, {
"block" : 86944000,
"blockreward" : "57220458984375"
}, {
"block" : 91520000,
"blockreward" : "28610229492187"
}, {
"block" : 96096000,
"blockreward" : "14305114746093"
}, {
"block" : 100672000,
"blockreward" : "7152557373046"
}, {
"block" : 105248000,
"blockreward" : "3576278686523"
}, {
"block" : 109824000,
"blockreward" : "1788139343261"
}, {
"block" : 114400000,
"blockreward" : "894069671630"
}, {
"block" : 118976000,
"blockreward" : "447034835815"
}, {
"block" : 123552000,
"blockreward" : "223517417907"
}, {
"block" : 128128000,
"blockreward" : "111758708953"
}, {
"block" : 132704000,
"blockreward" : "55879354476"
}, {
"block" : 137280000,
"blockreward" : "0"
} ]
},
"nonce" : "0x0",
"timestamp" : "0x0",
"gasLimit" : "0x1fffffffffffff",
"difficulty" : "0x1",
"mixHash" : "0x63746963616c2062797a616e74696e65206661756c7420746f6c6572616e6365",
"coinbase" : "0x0000000000000000000000000000000000000000",
"alloc" : {
"0xaE51f2EfE70e57b994BE8F7f97C4dC824c51802a" : {
"balance" : "3570000000000000000000000000"
}
},
"extraData" : "0xf87aa00000000000000000000000000000000000000000000000000000000000000000f85494ad4ea9b483fb8a4ed177186174ba44a41c2f36c3943e5fee8e8cb007611d6e8bab73b1368a1098674094018f86e22cc26e0318e7c00c3a738df1e5f183ac947366f751aa0fcf4d457dc52bdc9d5cd750533943c080c0"
}

@ -0,0 +1,33 @@
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="INFO" monitorInterval="5">
<Properties>
<Property name="root.log.level">INFO</Property>
</Properties>
<Appenders>
<Console name="Console" target="SYSTEM_OUT">
<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSSZZZ} | %t | %-5level | %c{1} | %msg %throwable{short.message}%n" />
</Console>
<RollingFile name="RollingFile" fileName="/kaly/besu/logs/besu.log" filePattern="/kaly/besu/logs/besu-%d{yyyyMMdd}-%i.log.gz" >
<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss.SSSZZZ} | %t | %-5level | %c{1} | %msg %throwable{short.message}%n" />
<!-- Logs in JSON format
<PatternLayout alwaysWriteExceptions="false" pattern='{"timestamp":"%d{ISO8601}","container":"${hostName}","level":"%level","thread":"%t","class":"%c{1}","message":"%msg","throwable":"%enc{%throwable}{JSON}"}%n'/>
-->
<Policies>
<OnStartupTriggeringPolicy minSize="10240" />
<TimeBasedTriggeringPolicy />
<SizeBasedTriggeringPolicy size="50 MB"/>
</Policies>
<DefaultRolloverStrategy max="365" />
</RollingFile>
</Appenders>
<Loggers>
<Root level="${sys:root.log.level}">
<AppenderRef ref="Console" />
<AppenderRef ref="RollingFile" />
</Root>
</Loggers>
</Configuration>

@ -0,0 +1,455 @@
---
description: Quick steps to secure your node.
---
# Security Best Practices for your Validator node
Completing this guide will provide a solid baseline to protect and secure your node.
## :robot: Pre-requisites
**Operating System**: Ubuntu 20.04 LTS 64 bits
**Hardware**:
| Hardware | minimum | desired |
| :------------- | :------ | :------ |
| **CPU's**: | 2 | 4 |
| **Memory**: | 4 Gb | 8 Gb |
| **Hard Disk**: | 100 Gb | 1000 Gb |
* a SSH client or terminal window access on a local computer.
In case you need a SSH client for your operating system, refer to:
{% embed url="https://www.howtogeek.com/311287/how-to-connect-to-an-ssh-server-from-windows-macos-or-linux/" %}
## :man\_mage: Mandatory: Create a non-root user with sudo privileges
Begin by connecting to your Ubuntu Server with your SSH client.
```bash
ssh root@node.ip.address
```
Create a new user called kaly
```
sudo useradd -m -s /bin/bash kaly
```
{% hint style="info" %}
the user name _kaly_ is only an example you can make any user name you wish
{% endhint %}
Set the password for kaly user
```
sudo passwd kaly
```
Add kaly to the sudo group
```
sudo usermod -aG sudo kaly
```
## :closed\_lock\_with\_key: Mandatory: **Disable SSH password Authentication and Use SSH Keys only**
{% hint style="info" %}
The basic rules of hardening SSH are:
* No password for SSH access (use private key)
* Don't allow root to SSH (the appropriate users should SSH in, then `su` or `sudo`)
* Use `sudo` for users so commands are logged
* Log unauthorized login attempts (and consider software to block/ban users who try to access your server too many times, like fail2ban)
* Lock down SSH to only the ip range your require (if you feel like it)
{% endhint %}
Create a new SSH key pair on your local machine. Run this on your local machine. You will be asked to type a file name in which to save the key. This will be your **keyname**.
```
ssh-keygen -t ed25519
```
Your SSH key pair is stored in your home directory. For example, if your keyname was **mySSHkey**, then your private SSH key is `mySSHkey` and your public SSH key is `mySSHkey.pub`
{% hint style="warning" %}
**IMPORTANT:** Make multiple backup copies of your **private SSH key file** to external storage, such as a USB backup key, for recovery purposes.
Verify the contents of your private SSH key file before moving on.&#x20;
```
cat <keyname>
```
It should look similar to this example.
```
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBAblzWLb7/0o62FZf9YjLPCV4qFhbqiSH3TBvZXBiYNgAAAJCWunkulrp5
LgAAAAtzc2gtZWQyNTUxOQAAACBAblzWLb7/0o62FZf9YjLPCV4qFhbqiSH3TBvZXBiYNg
AAAEAxT+yCmifGWgbFnkauf0HyOAJANhYY5EElEX8fI+M4B0BuXNYtvv/SjrYVl/1iMs8J
XioWFuqJIfdMG9lcGJg2AAAACWV0aDJAZXRoMgECAwQ=
-----END OPENSSH PRIVATE KEY-----
```
{% endhint %}
Transfer the public key to your remote node. Replace <**keyname.pub>** appropriately.
```bash
ssh-copy-id -i $HOME/<keyname.pub> kaly@node.ip.address
```
Login with your new kaly user
```
ssh kaly@node.ip.address
```
Disable root login and password based login. Edit the `/etc/ssh/sshd_config file`
```
sudo nano /etc/ssh/sshd_config
```
Locate **PubkeyAuthentication** and update to yes. Delete the #, if needed.
```
PubkeyAuthentication yes
```
Locate **PasswordAuthentication** and update to no
```
PasswordAuthentication no
```
Locate **PermitRootLogin** and update to prohibit-password
```
PermitRootLogin prohibit-password
```
Locate **PermitEmptyPasswords** and update to no
```
PermitEmptyPasswords no
```
**Optional**: Locate **Port** and customize it your **random** port.
```bash
Port <your random port number>
```
{% hint style="info" %}
A valid **random** port # ranges from 1024 thru 49141.
Check that the port is not already used by other services. Replace \<port> with your random port #.
```
sudo ss -ntlp | grep :<port>
```
Empty response means the port is good.
A response with red numbers means the port is already used. Choose another port.
{% endhint %}
Validate the syntax of your new SSH configuration.
```
sudo sshd -t
```
If no errors with the syntax validation, restart the SSH process
```
sudo systemctl restart sshd
```
Verify the login still works
{% tabs %}
{% tab title="Standard SSH Port 22" %}
```
ssh kaly@node.ip.address
```
{% endtab %}
{% tab title="Custom SSH Port" %}
```bash
ssh kaly@node.ip.address -p <custom random port number>
```
{% endtab %}
{% endtabs %}
**Optional**: Make logging in easier by updating your local ssh config.
To simplify the ssh command needed to log in to your server, consider updating your local `$HOME/.ssh/config` file:
```bash
Host kaly-node
User kaly
HostName <node.ip.address>
Port <custom random port number>
```
This will allow you to log in with `ssh kaly-node` rather than needing to pass through all ssh parameters explicitly.
## :robot: Mandatory: **Update your system**
{% hint style="warning" %}
It's critically important to keep your system up-to-date with the latest patches to prevent intruders from accessing your system.
{% endhint %}
```bash
sudo apt-get update -y && sudo apt dist-upgrade -y
sudo apt-get autoremove
sudo apt-get autoclean
```
Enable automatic updates so you don't have to manually install them.
```
sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
```
Reboot your system to enable the upgrades.
```
sudo reboot
```
## :bricks: Mandatory: **Configure your Firewall**
The standard UFW firewall can be used to control network access to your node.
With any new installation, ufw is disabled by default. Enable it with the following settings.
* If you used a custom random SSH port, replace "22" with your actual port #.
```bash
# By default, deny all incoming and outgoing traffic
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow ssh access
sudo ufw allow 22/tcp
# Allow execution client port
sudo ufw allow 30303
# Allow rpc port
sudo ufw allow 8545
# Allow ws port
sudo ufw allow 8546
# Enable firewall
sudo ufw enable
```
{% hint style="warning" %} If you dont want to make RPC or WS calls to your node remotely Omit allowing ports 8545 and 8546. {% endhint %}
Confirm the settings are in effect.&#x20;
```bash
sudo ufw status numbered
```
Example of properly configured ufw status for Lighthouse.
> ```csharp
> To Action From
> -- ------ ----
> [ 1] 22/tcp ALLOW IN Anywhere
> [ 2] 30303 ALLOW IN Anywhere
> [ 3] 8545 ALLOW IN Anywhere
> [ 4] 8546 ALLOW IN Anywhere
> [ 5] 22/tcp (v6) ALLOW IN Anywhere (v6)
> [ 6] 30303 (v6) ALLOW IN Anywhere (v6)
> [ 7] 8545 (v6) ALLOW IN Anywhere (v6)
> [ 7] 8546 (v6) ALLOW IN Anywhere (v6)
> ```
{% hint style="warning" %}
**Note for Grafana Users**: Do not expose Grafana (port 3000) to the public internet as this invites a new attack surface! A secure solution would be to access Grafana through a ssh tunnel.
Example of how to create a ssh tunnel:
```
ssh -N -v kaly@node.ip.address -L 3000:localhost:3000
```
{% endhint %}
**\[ Optional ]** Whitelisting, which means permitting connections from a specific IP, can be setup via the following command.
```bash
sudo ufw allow from <your local daily laptop/pc>
# Example
# sudo ufw allow from 192.168.50.22
```
## :chains: Mandatory: **Install Fail2ban**
{% hint style="info" %}
Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.
{% endhint %}
```
sudo apt-get install fail2ban -y
```
Edit a config file that monitors SSH logins.
```
sudo nano /etc/fail2ban/jail.local
```
Add the following lines to the bottom of the file.
{% hint style="info" %}
:fire: **Whitelisting IP address tip**: The `ignoreip` parameter accepts IP addresses, IP ranges or DNS hosts that you can specify to be allowed to connect. This is where you want to specify your local machine, local IP range or local domain, separated by spaces.
```bash
# Example
ignoreip = 192.168.1.0/24 127.0.0.1/8
```
{% endhint %}
```bash
[sshd]
enabled = true
port = <22 or your random port number>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
# whitelisted IP addresses
ignoreip = <list of whitelisted IP address, your local daily laptop/pc>
```
Save/close file.
Restart fail2ban for settings to take effect.
```
sudo systemctl restart fail2ban
```
## :bear: Optional: Disable root account
System admins should not frequently log in as root in order to maintain server security. Instead, you can use sudo execute that require low-level privileges.
```bash
# To disable the root account, simply use the -l option.
sudo passwd -l root
```
```bash
# If for some valid reason you need to re-enable the account, simply use the -u option.
sudo passwd -u root
```
## :tools: Optional: Setup Two Factor Authentication for SSH
{% hint style="info" %}
SSH, the secure shell, is often used to access remote Linux systems. Because we often use it to connect with computers containing important data, it’s recommended to add another security layer. Here comes the two factor authentication (_2FA_).
{% endhint %}
```
sudo apt install libpam-google-authenticator -y
```
To make SSH use the Google Authenticator PAM module, edit the `/etc/pam.d/sshd` file:
```
sudo nano /etc/pam.d/sshd
```
Add the following line:
```
auth required pam_google_authenticator.so
```
Now you need to restart the `sshd` daemon using:
```
sudo systemctl restart sshd.service
```
Modify `/etc/ssh/sshd_config`
```
sudo nano /etc/ssh/sshd_config
```
Locate **ChallengeResponseAuthentication** and update to yes
```
ChallengeResponseAuthentication yes
```
Locate **UsePAM** and update to yes
```
UsePAM yes
```
Save the file and exit.
Run the **google-authenticator** command.
```
google-authenticator
```
It will ask you a series of questions, here is a recommended configuration:
* Make tokens “time-base”": yes
* Update the `.google_authenticator` file: yes
* Disallow multiple uses: yes
* Increase the original generation time limit: no
* Enable rate-limiting: yes
You may have noticed the giant QR code that appeared during the process, underneath are your emergency scratch codes to be used if you don’t have access to your phone: write them down on paper and keep them in a safe place.
Now, open Google Authenticator on your phone and add your secret key to make two factor authentication work.
{% hint style="danger" %}
**Note**: If you are enabling 2FA on a remote machine that you access over SSH you need to follow **steps 2 and 3** of [this tutorial](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-18-04) to make 2FA work.
{% endhint %}
## :jigsaw: Optional: Secure Shared Memory
{% hint style="info" %}
One of the first things you should do is secure the shared [memory](https://www.lifewire.com/what-is-random-access-memory-ram-2618159) used on the system. If you're unaware, shared memory can be used in an attack against a running service. Because of this, secure that portion of system memory.
To learn more about secure shared memory, read this [techrepublic.com article](https://www.techrepublic.com/article/how-to-enable-secure-shared-memory-on-ubuntu-server/).
{% endhint %}
## :rocket: References
% embed url="https://www.coincashew.com/coins/overview-eth/guide-or-how-to-setup-a-validator-on-eth2-mainnet/part-i-installation/guide-or-security-best-practices-for-a-eth2-validator-beaconchain-node" %}
{% embed url="https://medium.com/@BaneBiddix/how-to-harden-your-ubuntu-18-04-server-ffc4b6658fe7" %}
{% embed url="https://linux-audit.com/ubuntu-server-hardening-guide-quick-and-secure/" %}
{% embed url="https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-18-04" %}
{% embed url="https://ubuntu.com/tutorials/configure-ssh-2fa#1-overview" %}
{% embed url="https://linuxize.com/post/install-configure-fail2ban-on-ubuntu-20-04/" %}
[https://gist.github.com/lokhman/cc716d2e2d373dd696b2d9264c0287a3#file-ubuntu-hardening-md](https://gist.github.com/lokhman/cc716d2e2d373dd696b2d9264c0287a3#file-ubuntu-hardening-md)
{% embed url="https://www.lifewire.com/harden-ubuntu-server-security-4178243" %}
{% embed url="https://www.ubuntupit.com/best-linux-hardening-security-tips-a-comprehensive-checklist/" %}
Loading…
Cancel
Save