Prerequisites for this Gnosis staking
Staking Node for Gnosis staking, see
options and guides for Staking NodeAccess to Staking Node Operating System
Interest in staking
Securying Ubuntu OS
In the matter of security, you must think about the way you are going to connect to / access your node - see the guide below.
Upgrade & update on the latest software and security updates.
$ sudo apt -y update && sudo apt -y upgrade
$ sudo apt dist-upgrade && sudo apt autoremove
$ sudo reboot
You can also create a shell script that will do this either on manual request or a schedule, see Update and Restart Ubuntu server Utility.
Configure the Firewall
- Install UFW, configurate
deny
state for incoming andallow
state for outgoing traffic$ sudo apt install ufw $ sudo ufw default deny incoming $ sudo ufw default allow outgoing
- Temporary till next step - Enable SSH port for remote access (process only if you are connected through the SSH = you are not connected with a keyboard and monitor right to the node)
sudo ufw allow 22/tcp
- Enable Firewall
$ sudo ufw enable
- Check Firewall Ports
sudo ufw numbered
Managing the SSH access
- SSH allows to connect to the server either from the local or remote network.
- If you are going to connect your node locally only (= with monitor and keyboard connected right in the node), you do not need to install SSH or you can simply disable it, if is already installed.
Check, whether SSH
is installed on the server
which sshd
This command should print directory of the SSH
service. If it prints an empty response, SSH
is not installed on the server and thus connecting to server over SSH
is not possible. If required, SSH
can be installed with following command:
sudo apt install openssh-server
With allowed SSH access, you must protect SSH access to your server from attackers. Based on your network confifuration, access may be possible from:
- From any network (Your server has public IP)
- From a local network only (Your server is behind nat)
- From a VPN network the node is assigned to
Even if you have enabled access from a local netowk only (your node is behind NAT), you should still protect your SSH access as a potential attacker may use a compromised device in your local network to access your node. The defense consists in increasing the number of obstacles that must be overcome to access your node.
- Modify default SSH port
- Configurate SSH keys
- Configurate 2FA authentization
- Configurate Brute-force & DDoS protection
- Additional tips
Before configuring security matters and connecting to your node, take note the basic rule to maintain also the security of the computer(s) you are going to use for connecting to your node (stealing the SSH keys) as well as other devices required for connection (stealing 2FA codes) etc.
-
Modify default
22
SSH portAs port
22
is default port for SSH connections, it's the first port that a potential attacker tests. Change it to a different free port.-
Choose any number between
Choose a port number for SSH:21
and49151
-
Check whether the selected port for SSH is not already in use
sudo ss -tulpn | grep ':22'
- blank response = port is not in used
- red text response, the port is already in used. Check availability of a different port number in such case.
- Change SSH port from default
22
to22
in the SSH config file-
Open
sshd_config
config filesudo nano /etc/ssh/sshd_config
-
Find mark
Port
, usuallyPort 22
. The mark specifies currently port used for SSH access.Rewrite the port value for
Port
- Press
CTRL
+X
thenY
thenENTER
to save and exit the config file.
-
Open
- Enable the Port
1024
for SSH/TCP connectionsudo ufw allow 1024/tcp
- Restart the SSH service to reflect the changes.
sudo systemctl restart ssh
After the restart, you will not able to connect through the SSH over port
22
anymore. Be sure you are connecting over the1024
next time. - Disable the default
22
port for SSH/TCP connectionsudo ufw deny 22/tcp
- Check your port settings if needed
sudo ufw status numbered
-
-
Configure SSH keys
By default, SSH connections can be made using a combo of
SSH keys step by step guide.username
andpassword
. Aspassword
is usually somewhat "short" and thus susceptible to brute-force attacks, key loggers attacks and so on. This is why SSH keys significantly enhances the security of the login process. -
Configuring 2FA authentization
2FA (2 Factor authentization) comes with additional code you must provide to access your node. You may know 2FA from crypto exchanges. In the same way you can protect loging to your node.
2FA Google Authentication activation guide. -
Configuring Brute-force & DDoS protection
To defend against Brute Force and DDoS attacks, one can monitor incoming connections and block IP addresses that repeatedly attempt to log in with incorrect credentials. Installing the Fail2Ban package can assist with this.
Guide to activate Fail2Ban.
Securying remote access tips
- Staking node is accessible from public IP:
- If you do not need o connect to your node from remote networks, move your node behind the router that prevents accessing the node.
- If you want to keep this feature, you should still consider move the node behind the router, set VPN on the router, and when connecting to the node, firstly connect to the router VPN and then connect the node from "local" network through its local IP.
- Staking node is not accessible from public IP:
- If you need connecting your node from remote networks, you must either set a VPN, such as Tailscale (either on the server itself or any other device in your local network), or buy public IP from your ISP and follow the points for server accessible from the public IP.
If you have SSH
installed and running on your server, you must either disable ports for SSH traffic, disable SSH or remove it. If SSH
is not installed on your machine, you can skip this step - ssh access is not possible already.
Option 1: Stop and disable the ssh service
sudo systemctl stop ssh sudo systemctl disable ssh
If preferred, you can remove the SSH server client from the machine
sudo apt remove openssh-server
Option 2: Disable traffic on SSH port
Check
22/tcp
port for enabled traffic with commandsudo ufw status numbered
Note: default
22
port could be changed, as well as could not be enabled. If there's anytcp
traffic enabled, disable it. Code below is for default SSH port22
.sudo ufw deny 22/tcp
Consider installing and setting VPN to hide your public IP
VPN allows the server to access the internet through an intermediary in a form of a VPN server. In such case, your server's IP address (and location) is hidden behind the VPN server IP address. The disadvantage is the potential instability of the VPN server, in terms of connection speed and possible crashes into offline state.
Complete guide to install, configurate and activate Mullvad VPN on Ubuntu server.Note: If you need to have active Mullvad and Tailscale simultaneously, follow a guide for setting rules for netfilter.
Check / set basic config for your node machine
- Check, you are not logged in as
root
. If so, create a new user withsudo
, see section Staking on rented hardware - Check a
swap
spacefree -h
If there's no
swap
space created on your node, configurate a swap space. - Check
timedatectl
service for option to synchronize timeCheck current state:
timedatectl status
NTP service
must beactive
. If not, runsudo timedatectl set-ntp on
System clock synchronized
must beyes
. If not, and you have active VPN client, set a split tunnel fortimedatectl
service.
- Create
downloads
directory in your machinemkdir ~/downloads
This folder will be used for downloading clients
Generate Client Authentication Secret for gnosis
- Create a new directory for
jwtsecret
filessudo mkdir -p /var/lib/jwtsecret
- Generate the JWT file using the openssl cryptography software library.
openssl rand -hex 32 | sudo tee /var/lib/jwtsecret/gnosis.hex > /dev/null
- Check the generated authentication secret
Press$ nano /var/lib/jwtsecret/gnosis.hex
CTRL
+X
to exit the config file.
Install and configurate preferred execution client
Installing Nethermind client
Nethermind documentation: https://docs.nethermind.io/
-
Find the latest stable version of Nethermind on Github
- Find latest Nethermind version at https://github.com/NethermindEth/nethermind/releases
-
Write latest stable Nethermind version in format such as
1.29.1-dfea5240
:
-
Download Nethermind version
1.29.1-dfea5240
to your nodecd ~/downloads && curl -LO https://github.com/NethermindEth/nethermind/releases/download/1.29.1/nethermind-1.29.1-dfea5240-linux-x64.zip
-
Install package for unzipping
sudo apt-get install -y unzip
-
Unzip the downloaded file
unzip nethermind-1.29.1-dfea5240-linux-x64 -d nethermind
-
Copy the client to
/usr/local/bin/
sudo cp -a nethermind /usr/local/bin/nethermind
-
Remove downloaded files
cd ~/downloads && rm nethermind-1.29.1-dfea5240-linux-x64.zip && rm -r nethermind
Create a system user and data directory for Nethermind service
-
Create a user
:sudo useradd --system --no-create-home --shell /bin/false gno-nethermind
-
Create a folder for Nethermind data on Gnosis chain
:sudo mkdir -p /var/lib/gnosis/nethermind
-
Set access permission and ownership for the Nethermind data folder
sudo chown -R gno-nethermind:gno-nethermind /var/lib/gnosis/nethermind
Configurate & Run Nethermind service
-
Choose ports for communication
Change the default ports below if you are going to stake on more chains simultaneously (e.g. Ethereum and Gnosis at once) on the same machine. If you are going to stake gnosis only, you can keep the default ports. If you are changing the default ports, be sure that the newly selected port is not already in used. A port in used may be checked with following code:
ss -tuln | grep ':PORT'
- If it returns empty response, the port is free and can be used.
Ports selection
-
(Default port:
30303
) -
(Default port:
8545
) -
(Default port:
8551
)
If needed, check JSON RPC server and fundamentals in Nethermind documentation.
-
Enable port for P2P communication (execution client)
To allow execution client synchronization, there's need to enable P2P traffic to TCP (allows the node to connect to peers) and UDP (allows node discovery) port
30303
. It may be done with following UFW setup:$ sudo ufw allow 30303
-
Create configuration file for Nethermind service
-
Open Nethermind configuration file
sudo nano /etc/systemd/system/gno-nethermind.service
-
Copy the configuration below into the file. If needed, check flags documentation.
[Unit] Description=Nethermind Execution Client (Gnosis chain) After=network.target Wants=network.target [Service] User=gno-nethermind Group=gno-nethermind Type=simple Restart=always RestartSec=5 WorkingDirectory=/var/lib/gnosis/nethermind Environment="DOTNET_BUNDLE_EXTRACT_BASE_DIR=/var/lib/gnosis/nethermind" ExecStart=/usr/local/bin/nethermind/nethermind \ --config gnosis \ --datadir /var/lib/gnosis/nethermind \ --JsonRpc.JwtSecretFile /var/lib/jwtsecret/gnosis.hex \ #--Sync.SnapSync false \ Supported since v 1.28 #--Sync.FastSync true \ --Sync.SnapSync true \ --Network.P2PPort 30303 \ --Network.DiscoveryPort 30303 \ --JsonRpc.EnginePort 8551 \ --JsonRpc.Port 8545 #--Network.ActivePeersMaxCount 25 \ #--Blocks.TargetBlockGasLimit 17000000 [Install] WantedBy=default.target
-
Press
CTRL
+X
thenY
thenENTER
to save and exit the config file.
-
-
Start the Nethermind service
sudo systemctl daemon-reload sudo systemctl start gno-nethermind
-
Check the service
systemctl status gno-nethermind journalctl -fu gno-nethermind
If you see message "Waiting for Forkchoice message from Consensus Layer to set fresh pivot block", you can move on a Consensis Client setup.
-
Start the service automatically on system startup
sudo systemctl enable gno-nethermind
Installing Erigon client
Erigon documentation: https://erigon.gitbook.io/erigon
Find the latest stable version of Erigon on Github
- Find latest Erigon version at https://github.com/ledgerwatch/erigon/releases. AMD64 v1/v2 links at Microarchitecture levels.
- Write latest stable Erigon version:
-
Download Erigon version
2.60.10
cd ~/downloads && curl -LO https://github.com/erigontech/erigon/releases/download/v2.60.10/erigon_v2.60.10_linux_amd64v2.tar.gz
Verify hash of donwnloaded file
Get hash of downloaded file and compare it with official hashes
And check it compare to the provided hash for the file from https://github.com/erigontech/erigon/releases/download/v2.60.10/erigon_v2.60.10_checksums.txt (Note: The link links at 2.60.10 version )sha256sum erigon_v2.60.10_linux_amd64v2.tar.gz
-
Extract the downloaded package
tar xvf erigon_v2.60.10_linux_amd64v2.tar.gz
-
Copy extracted Erigon library
sudo cp -a erigon_v2.60.10_linux_amd64v2 /usr/local/bin/erigonlib
-
Remove downloaded files
cd ~/downloads && rm -r erigon_v2.60.10_linux_amd64v2.tar.gz && rm -r erigon_v2.60.10_linux_amd64v2
Create a system user and data directory for Erigon service
Create a user
:sudo useradd --system --no-create-home --shell /bin/false gno-erigon
Create a folder for Erigon data on gnosis network
:sudo mkdir -p /var/lib/gnosis/erigon
-
Set access permission and ownership for the Erigon data folder
sudo chown -R gno-erigon:gno-erigon /var/lib/gnosis/erigon
Configurate & Run Erigon Service
-
Choose ports for communication
Change the default ports below if you are going to stake on more chains simultaneously (e.g. Ethereum and Gnosis at once) on the same machine. If you are going to stake gnosis only, you can keep the default ports. If you are changing the default ports, be sure that the newly selected port is not already in used. A port in used may be checked with following code:
ss -tuln | grep ':PORT'
- If it returns empty response, the port is free and can be used.
Ports selection
-
(Default port:
30303
) -
(Default port:
8545
) -
(Default port:
8551
)
Enable port for P2P communication (execution client)
To allow execution client synchronization, there's need to enable P2P traffic to TCP (allows the node to connect to peers) and UDP (allows node discovery) port
30303
. It may be done with following UFW setup:$ sudo ufw allow 30303
Create configuration file for Erigon service
- Open configuration file
sudo nano /etc/systemd/system/gno-erigon.service
- Copy the configuration below into the file
[Unit] Description=Erigon Execution Client (Gnosis Chain) After=network.target Wants=network.target [Service] User=gno-erigon Group=gno-erigon Type=simple Restart=always RestartSec=5 ExecStart=/usr/local/bin/erigonlib/erigon \ --chain=gnosis \ --datadir=/var/lib/gnosis/erigon \ --authrpc.jwtsecret=/var/lib/jwtsecret/gnosis.hex \ # --externalcl \ --prune=htcr # --private.api.addr= \ # --prune.r.before=11052984 [Install] WantedBy=default.target
- Press
CTRL
+X
thenY
thenENTER
to save and exit the config file.
- Open configuration file
Start the service
sudo systemctl daemon-reload sudo systemctl start gno-erigon
Check the service
systemctl status gno-erigon journalctl -fu gno-erigon
Start the service on system startup
sudo systemctl enable gno-erigon
Soon
Soon
Consensus client
Install Consensus client
-
Find the latest stable version of Lighthouse on Github
- Find latest Lighthouse version at https://github.com/sigp/lighthouse/releases
-
Write latest stable lighthouse version:
This will update the url links in the guide below.
-
Download Lighthouse version
5.3.0
to your nodecd ~/downloads && curl -LO https://github.com/sigp/lighthouse/releases/download/v5.3.0/lighthouse-v5.3.0-x86_64-unknown-linux-gnu.tar.gz
Extract downloaded file
$ tar xvf lighthouse-v5.3.0-x86_64-unknown-linux-gnu.tar.gz
-
Replace old Lighthouse client for new
$ sudo cp ~/downloads/lighthouse /usr/local/bin
-
Remove downloaded files
$ cd ~/downloads && rm lighthouse-v5.3.0-x86_64-unknown-linux-gnu.tar.gz && rm -r lighthouse
Configurate Lighthouse Beacon service
-
Create a user for lighthouse beacon
:
$ sudo useradd --system --no-create-home --shell /bin/false gno-lighthousebeacon
-
Create a directory for data
:
$ sudo mkdir -p /var/lib/gnosis/lighthouse/beacon
- Set permission for accessing the directory
$ sudo chown -R gno-lighthousebeacon:gno-lighthousebeacon /var/lib/gnosis/lighthouse/beacon
Create configuration file for Lighthouse Beacon service
Open Lighthouse Beacon configuration file
$ sudo nano /etc/systemd/system/gno-lighthousebeacon.service
Copy the configuration below into the file. If needed, check flags documentation.
[Unit] Description=Lighthouse Consensus Client BN (Gnosis Network) Wants=network-online.target After=network-online.target [Service] User=gno-lighthousebeacon Group=gno-lighthousebeacon Type=simple Restart=always RestartSec=5 ExecStart=/usr/local/bin/lighthouse bn \ --network gnosis \ --datadir /var/lib/gnosis/lighthouse \ # --subscribe-all-subnets \ --execution-endpoint http://localhost:8551 \ --execution-jwt /var/lib/jwtsecret/gnosis.hex \ --target-peers 50 \ --checkpoint-sync-url https://checkpoint.gnosischain.com/ \ --http \ --port 9000 \ --port6 9090 \ # --discovery-port 9000 \ --quic-port 9001 \ --quic-port6 9091 \ --http-port 5052 [Install] WantedBy=multi-user.target
Press
CTRL
+X
thenY
thenENTER
to save and exit the config file.Load changes made in config files to the system
$ sudo systemctl daemon-reload
- Start the service
$ sudo systemctl start gno-lighthousebeacon
- Check the state
$ systemctl status gno-lighthousebeacon $ journalctl -fu gno-lighthousebeacon
-
Activate service to start automatically
$ sudo systemctl enable gno-lighthousebeacon
-
Installing NodeJS through the Node Version Manager
Node Version Manager (NVM) is a piece of shell code that allows you to easily install and maintain different versions of Node.js and its associated packages.
- Check latest verision of NVM on GitHub.
View code of NVM ver 0.39.4
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.4/install.sh
Install NVM
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.4/install.sh | bash
NVM will be installed with permissions of a user that processing that request (you). NVM is installed to user account, specifically to "~/.bashrc" directory.
source/reload
nvm
for an option to use itsource ~/.bashrc
Check available Node.js versions
Selected version:nvm list-remote
v
Install requested Node.js version
nvm install v20.11.0
Node.js is installed with permissions of a user that processing that request (you)
Show active Node.js version in use
node -v
If o version is selected, use
nvm use 20.11.0
-
Install build-essential tools
sudo apt-get install build-essential -y
-
Install Yarn
corepack enable
corepack prepare yarn@stable --activate
yarn help
Build Lodestar
Download latest Lodestar client from GitHub
cd ~/downloads && git clone -b stable https://github.com/chainsafe/lodestar.git
-
Install yarn
cd lodestar && yarn install
Build Lodestart client
yarn run build
-
Check builded Lodestar version
./lodestar -v
Copy new production client to
/usr/local/bin
directorysudo cp -a ~/downloads/lodestar /usr/local/bin
Configurate Lodestar Beacon service
-
Configuring lodestarbeacon service user and data directory
Create a service user
:$ sudo useradd --system --no-create-home --shell /bin/false gno-lodestarbeacon
Enable gno-lodestarbeacon user access NodeJs
:sudo usermod -aG myserveruser gno-lodestarbeacon
-
Create a directory for Lodestar Beacon data
:sudo mkdir -p /var/lib/gnosis/lodestar/beacon
-
Set directory ownership
sudo chown -R gno-lodestarbeacon:gno-lodestarbeacon /var/lib/gnosis/lodestar/beacon
Create configuration file for the Lodestar beacon service
Open the configuration file
sudo nano /etc/systemd/system/gno-lodestarbeacon.service
Copy following configuration to the file
:
This can be get with command$ node version
[Unit] Description=Lodestar Consensus Beacon Client (Gnosis Chain) Wants=network-online.target After=network-online.target [Service] User=gno-lodestarbeacon Type=simple Restart=always RestartSec=5 WorkingDirectory=/usr/local/bin/lodestar Environment="PATH=/home/myserveruser/.nvm/versions/node/v20.11.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ExecStart=/usr/local/bin/lodestar/lodestar beacon \ --network gnosis \ --dataDir /var/lib/gnosis/lodestar/beacon \ --execution.urls http://127.0.0.1:8551 \ --jwt-secret /var/lib/jwtsecret/gnosis.hex \ --port 9000 \ --port6 9090 #--suggestedFeeRecipient 0x......................... [Install] WantedBy=multi-user.target
Check all available flags.
- Press
CTRL
+X
thenY
thenENTER
to save and exit the config file.
Reload daemon
sudo systemctl daemon-reload
Run the service
sudo systemctl start gno-lodestarbeacon
-
Monitor the running lodestar Beacon service
systemctl status gno-lodestarbeacon
journalctl -fu gno-lodestarbeacon
Enable auto start on server statup
sudo systemctl enable gno-lodestarbeacon
Install Java
cd ~/downloads && wget https://download.oracle.com/java/21/latest/jdk-21_linux-x64_bin.deb sudo apt install ./jdk-21_linux-x64_bin.deb
java --version
-
Find the latest stable version of Teku on Github
Find latest Teku version at Github: https://github.com/Consensys/teku/releases
Write latest stable Teku version:
This will update the url links in the guide below.
Download the latest Teku version
cd ~/downloads && curl -LO https://artifacts.consensys.net/public/teku/raw/names/teku.tar.gz/versions/24.10.3/teku-24.10.3.tar.gz
Unpack the downloaded Teku version
$ tar xvf teku-24.10.3.tar.gz
-
Copy the Teku Library
sudo cp -a ~/downloads/teku-24.10.3 /usr/local/bin/teku
Remove downloaded files
cd ~/downloads && rm teku-24.10.3.tar.gz && rm -r teku-24.10.3
Configurate Teku Beacon service
-
Create a user
:sudo useradd --system --no-create-home --shell /bin/false gno-tekubeacon
-
Create a folder for Tekubeacon data on Gnosis chain
:sudo mkdir -p /var/lib/gnosis/tekubeacon
-
Set access permission and ownership for the Nethermind data folder
sudo chown -R gno-tekubeacon:gno-tekubeacon /var/lib/gnosis/tekubeacon
Configurate & Run Tekubeacon service
-
Create configuration file for Tekubeacon service
-
Open Tekubeacon configuration file
sudo nano /etc/systemd/system/gno-tekubeacon.service
Copy configuration
[Unit] Description=Teku Consensus Client (Gnosis chain) Wants=network-online.target After=network-online.target [Service] User=gno-tekubeacon Group=gno-tekubeacon Type=simple Restart=always RestartSec=5 Environment="JAVA_OPTS=-Xmx5g" Environment="TEKU_OPTS=-XX:-HeapDumpOnOutOfMemoryError" ExecStart=/usr/local/bin/teku/bin/teku \ --network=gnosis \ --data-path=/var/lib/gnosis/tekubeacon \ --ee-endpoint=http://127.0.0.1:8551 \ --ee-jwt-secret-file=/var/lib/jwtsecret/gnosis.hex \ --metrics-enabled=true \ --rest-api-enabled=true \ --validators-proposer-default-fee-recipient= 0x... \ #--checkpoint-sync-url= \ --initial-state=https://checkpoint.gnosischain.com/eth/v2/debug/beacon/states/finalized [Install] WantedBy=multi-user.target
-
Press
CTRL
+X
thenY
thenENTER
to save and exit the config file.
-
-
Load changes
sudo systemctl daemon-reload
-
Start the Beacon chain service
sudo systemctl start gno-tekubeacon
-
Check the service
systemctl status gno-tekubeacon journalctl -fu gno-tekubeacon
-
Start the service automatically on system startup
sudo systemctl enable gno-tekubeacon