Interactive Solo Gnosis staking guide for Ubuntu OS
Complete guide to stake one as well as thousands of validators on multiple chains through a single staking node. Simply made, interactive, well explained. The guide on this webpage is focused on staking Gnosis.
Disclaimer
This guide is for informational purposes only. The author nor website owner does not guarantee accuracy of the information in this guide and is not responsible for any damages or losses incurred by following the guide. See more.
Prerequisites
Prerequisites for Gnosis staking
Before you start, make sure you have these three things ready.
1
Staking Node for Gnosis
Prepare hardware/VM for Gnosis staking. Check out the recommended options and instructions.
Install UFW, configurate deny state for incoming and allow state for outgoing traffic
Install UFW (if not installed yet)
sudo apt install ufw
Set default Fireall configuration:
sudo ufw default deny incoming
sudo ufw default allow outgoing
NOTE: Installed firewall is required for enabling custom SSH port for remote connection. Firewall activation itself will be processed later, after additional configuration made in next steps.
Security
SSH
Managing the SSH access
SSH allows to connect to the server remotely either from the local or remote network.
If you are going to connect your node locally only (= with monitor and keyboard connected right in the node), you do not need to install SSH or you can simply disable it, if is already installed.
Check, whether SSH is installed on the server
which sshd
This command should print directory of the SSH service. If it prints an empty response, SSH is not installed on the server and thus connecting to server over SSH is not possible.
With allowed SSH access, you must protect SSH access to your server from attackers. Based on your network confifuration, access may be possible from:
From any network (Your server has public IP)
From a local network only (Your server is behind nat)
From a VPN network the node is assigned to
Even if you have enabled access from a local netowk only (your node is behind NAT), you should still protect your SSH access as a potential attacker may use a compromised device in your local network to access your node. The defense consists in increasing the number of obstacles that must be overcome to access your node.
If SSH is not installed yet (which sshd returns an empty response), SSH server can be installed with following command:
sudo apt install openssh-server
After the installation, you can use command poweroff to shut down the server and unstick monitor and keyboard. Next connections can be remote over SSH since now. As there is no SSH key used right now, on Linux/Mac, a remote connection can be made with following command:
Remote connection from Windows OS requires installation of SSH client such as e.g. Putty. See more information about remote connections from Windows at this Guide.
Before configuring security matters and connecting to your node, take note the basic rule to maintain also the security of the computer(s) you are going to use for connecting to your node (stealing the SSH keys) as well as other devices required for connection (stealing 2FA codes) etc.
Configure SSH keys
By default, SSH connections can be made using a combo of username and password. As password is usually somewhat "short" and thus susceptible to brute-force attacks, key loggers attacks and so on. This is why SSH keys significantly enhances the security of the login process.
As port 22 is default port for SSH connections, it's the first port that a potential attacker tests. Change it to a different free port.
Choose any number between 21 and 49151
Choose a port number for SSH:
Check whether the selected port for SSH is not already in use
sudo ss -tulpn | grep ':22'
blank response = port is not in used
red text response, the port is already in used. Check availability of a different port number in such case.
Change SSH port from default 22 to 22 in the SSH config file
Open sshd_config config file
sudo nano /etc/ssh/sshd_config
Find mark Port, usually Port 22. The mark specifies currently port used for SSH access.
Rewrite the port value for Port
Press CTRL + X then Y then ENTER to save and exit the config file.
Enable the Port 1024 for SSH/TCP connection
sudo ufw allow 1024/tcp
Disable the default 22 port for SSH/TCP connection
sudo ufw deny 22/tcp
Restart the SSH service and reboot the system to reflect the changes.
sudo systemctl restart ssh && sudo reboot
After the restart, you will not able to connect through the SSH over port 22 anymore. Be sure you are connecting over the 1024 next time.
NOTE: If you are facing an issue to sign in over SSH after changing the port, try reboot the staking node and sign in again.
Security
2FA
Configuring 2FA authentization
2FA (2 Factor authentization) comes with additional code you must provide to access your node. You may know 2FA from crypto exchanges. In the same way you can protect loging to your node.
To defend against Brute Force and DDoS attacks, one can monitor incoming connections and block IP addresses that repeatedly attempt to log in with incorrect credentials. Installing the Fail2Ban package can assist with this.
If you do not need o connect to your node from remote networks, move your node behind the router that prevents accessing the node.
If you want to keep this feature, you should still consider move the node behind the router, set VPN on the router, and when connecting to the node, firstly connect to the router VPN and then connect the node from "local" network through its local IP.
Staking node is not accessible from public IP:
If you need connecting your node from remote networks, you must either set a VPN, such as Tailscale (either on the server itself or any other device in your local network), or buy public IP from your ISP and follow the points for server accessible from the public IP.
If you have SSH installed and running on your server, you must either disable ports for SSH traffic, disable SSH or remove it. If SSH is not installed on your machine, you can skip this step - ssh access is not possible already.
If preferred, you can remove the SSH server client from the machine
sudo apt remove openssh-server
Option 2: Disable traffic on SSH port
Check 22/tcp port for enabled traffic with command
sudo ufw status numbered
Note: default 22 port could be changed, as well as could not be enabled. If there's any tcp traffic enabled, disable it. Code below is for default SSH port 22.
sudo ufw deny 22/tcp
Security
Firewall
Configure the Firewall
Enable Firewall
sudo ufw enable
Check Firewall Ports
sudo ufw numbered
Security
JWT
Generate Client Authentication Secret for gnosis
Create a new directory for jwtsecret files
sudo mkdir -p /var/lib/jwtsecret
Generate the JWT file using the openssl cryptography software library.
openssl rand -hex 32 | sudo tee /var/lib/jwtsecret/gnosis.hex > /dev/null
Check the generated authentication secret
nano /var/lib/jwtsecret/gnosis.hex
Press CTRL + X to exit the config file.
Security
VPN
Consider installing and setting VPN to hide your public IP
VPN allows the server to access the internet through an intermediary in a form of a VPN server. In such case, your server's IP address (and location) is hidden behind the VPN server IP address. The disadvantage is the potential instability of the VPN server, in terms of connection speed and possible crashes into offline state.
Change the default ports below if you are going to stake on more chains simultaneously (e.g. Ethereum and Gnosis
at once) on the same machine. If you are going to stake gnosis only, you can keep the default ports. If you are
changing the default ports, be sure that the newly selected port is not already in used. A port in used may be
checked with following code:
ss -tuln | grep ':PORT'
If it returns empty response, the port is free and can be used.
To allow execution client synchronization, there's need to enable port 30303 reserved for P2P traffic to TCP (allows the node to connect to peers) and UDP (allows node discovery). It may be done with following UFW setup:
sudo ufw allow 30303
Use this option only if you need operate execution client and beacon client on different machines.
Enable port 30303 for P2P traffic
To allow execution client synchronization, there's need to enable port 30303 reserved for P2P traffic to TCP (allows the node to connect to peers) and UDP (allows node discovery). It may be done with following UFW setup:
sudo ufw allow 30303
Enable port 8551 for IP of your second machine
sudo ufw allow from 192.168.88.0/27 to any port 8551
Note: Be sure you use proper IP of your second machine / proper local network configuration.
Change the default ports below if you are going to stake on more chains simultaneously (e.g. Ethereum and Gnosis
at once) on the same machine. If you are going to stake gnosis only, you can keep the default ports. If you are
changing the default ports, be sure that the newly selected port is not already in used. A port in used may be
checked with following code:
ss -tuln | grep ':PORT'
If it returns empty response, the port is free and can be used.
Ports selection
(Default
port: 30303)
(Default
port: 8545)
(Default
port: 8551)
Enable ports communication
To allow execution client synchronization, there's need to enable port 30303 reserved for P2P traffic to TCP (allows the node to connect to peers) and UDP (allows node discovery). It may be done with following UFW setup:
sudo ufw allow 30303
Use this option only if you need operate execution client and beacon client on different machines.
Enable port 30303 for P2P traffic
To allow execution client synchronization, there's need to enable port 30303 reserved for P2P traffic to TCP (allows the node to connect to peers) and UDP (allows node discovery). It may be done with following UFW setup:
sudo ufw allow 30303
Enable port 8551 for IP of your second machine
sudo ufw allow from 192.168.88.0/27 to any port 8551
Note: Be sure you use proper IP of your second machine / proper local network configuration.
You can uncomment checkpoint-sync-url for a quick synchronization from a checpoint. After enabling it, verify, that you are on on the expected chain, see https://checkpoint.gnosischain.com/ → Get started → Lighthouse
You can uncomment --target-peers to reduce bandwidth
If the file is empty, generate it with command sudo /usr/local/bin/staking.sh init
Set link to proper service. It should be as follow:
beaconServices="gno-lighthousebeacon"
If you place more services to the category, separate them with a space, see beaconServices="service1 service2 service3 ..."
Activate service to start automatically on OS startup
Open Start with delay util
sudo nano /usr/local/bin/delayed-start.sh
Place or uncomment a command to start the beacon client(s)
/usr/local/bin/staking.sh start beacon
Verify, that a service `delayed-start.service` exists and is automatically launched on system start.
sudo systemctl enable delayed-start.service
Install Lodestar
Install NodeJS through the NVM
Node Version Manager (NVM) is a piece of shell code that allows you to easily install and maintain different versions of Node.js and its associated packages.
NVM will be installed with permissions of a user that processing that request (you). NVM is installed to user account, specifically to "~/.bashrc" directory.
source/reload nvm for an option to use it
source ~/.bashrc
Check available Node.js versions
nvm list-remote
Selected version: v
Install requested Node.js version
nvm install v22.16.0
Node.js is installed with permissions of a user that processing that request (you)
Note: You can uncomment checkpoint-sync-url for a quick synchronization from a checpoint. After enabling it, verify, that you are on on the expected chain, see https://checkpoint.gnosischain.com/ → Get started → Lodestar
Press CTRL + X then Y then ENTER to save and exit the config file.
Reload daemon
sudo systemctl daemon-reload
Run the service
sudo systemctl start gno-lodestarbeacon
Monitor the running lodestar Beacon service
systemctl status gno-lodestarbeacon
journalctl -fu gno-lodestarbeacon
Enable auto start on server statup
sudo systemctl enable gno-lodestarbeacon
Open Delayed Start shell
sudo nano /usr/local/bin/delayed-start.sh
Configurate service start inside it
systemctl start gno-lodestarbeacon.service
Be sure, delayed-start.service service controlling delayed-start.sh is enabled for auto start with system startup
Note: You can uncomment checkpoint-sync-url for a quick synchronization from a checpoint. After enabling it, verify, that you are on on the expected chain, see https://checkpoint.gnosischain.com/ → Get started → Teku
Press CTRL + X then Y then ENTER to save and exit the config
file.
Load changes
sudo systemctl daemon-reload
Launch Tekubeacon service
Start the Beacon chain service
sudo systemctl start gno-tekubeacon
Check the service
systemctl status gno-tekubeacon
journalctl -fu gno-tekubeacon
Start the service automatically on system startup
sudo systemctl enable gno-tekubeacon
Open Delayed Start shell
sudo nano /usr/local/bin/delayed-start.sh
Configurate service start inside it
systemctl start gno-tekubeacon.service
Be sure, delayed-start.service service controlling delayed-start.sh is enabled for auto start with system startup
For an option to start syncing from a snapshot, check checkpoint-sync-url for a quick synchronization from a checpoint. After enabling it, verify, that you are on on the expected chain, see https://checkpoint.gnosischain.com/ → Get started → Nimbus
Press CTRL + X then Y then ENTER to save and exit the config
file.
Load changes
sudo systemctl daemon-reload
Start the Beacon chain service
sudo systemctl start gno-nimbusbeacon
Check the service
systemctl status gno-nimbusbeacon
journalctl -fu gno-nimbusbeacon
Start the service automatically on system startup
sudo systemctl enable gno-nimbusbeacon
Open Delayed Start shell
sudo nano /usr/local/bin/delayed-start.sh
Configurate service start inside it
systemctl start gno-nimbusbeacon.service
Be sure, delayed-start.service service controlling delayed-start.sh is enabled for auto start with system startup