Secure node access is the first line of defense for any blockchain infrastructure. Whether you're running an Ethereum execution client like Geth or Nethermind, a consensus client, or a validator, unauthorized access can lead to slashing, theft, or network disruption. This guide focuses on SSH (Secure Shell) as the industry standard for remote administration, moving beyond insecure password-based logins to cryptographic key pairs for authentication.
LABS
Guides
Setting Up Secure Node Access
A practical guide to configuring hardened remote access for blockchain nodes. Covers SSH key authentication, UFW firewall rules, fail2ban for intrusion prevention, and system monitoring with Prometheus and Grafana.
Chainscore © 2026
introduction
FOUNDATIONS
Setting Up Secure Node Access
A guide to establishing secure, authenticated connections to blockchain nodes, covering SSH, key management, and firewall configuration.
The core of secure access is the public-private key pair. Your private key, stored securely on your local machine, never leaves your possession. The corresponding public key is placed in the ~/.ssh/authorized_keys file on your node's server. When you connect, the server challenges your client to prove it holds the private key. This method is fundamentally more secure than passwords, which are vulnerable to brute-force attacks. For production nodes, disable password authentication entirely in /etc/ssh/sshd_config by setting PasswordAuthentication no.
Key management best practices are critical. Generate a strong key with ssh-keygen -t ed25519 (or -t rsa -b 4096). Never use a passphrase-less key for automated scripts; instead, use an SSH agent (ssh-agent) to hold decrypted keys in memory. For infrastructure, consider using a hardware security module (HSM) or a dedicated secrets manager like HashiCorp Vault to manage and rotate access credentials programmatically, especially in multi-validator setups.
Network-level hardening is the next layer. Configure your node's firewall (e.g., ufw or firewalld) to allow SSH only from specific, trusted IP addresses, drastically reducing your attack surface. Change the default SSH port from 22 to a non-standard port to avoid automated bot scans. For additional security, implement fail2ban, which automatically bans IP addresses that exhibit malicious login attempts, providing active defense against brute-force attacks.
For teams or advanced setups, SSH certificates offer a superior alternative to plain public keys. A Certificate Authority (CA) signs user keys, granting time-limited access with specific permissions. This centralizes revocation and eliminates the need to manage individual public keys on every server. Tools like OpenSSH's built-in CA or Teleport provide robust frameworks for implementing certificate-based access in enterprise-grade node operations.
Finally, monitor and audit all access. Use journalctl -u ssh or audit logs to review successful and failed login attempts. Set up alerts for logins from unexpected locations or at unusual times. Secure node access isn't a one-time setup but an ongoing practice of key rotation, rule review, and vigilant monitoring to protect your stake and the network's integrity.
prerequisites
PREREQUISITES
Setting Up Secure Node Access
A secure foundation is essential for interacting with blockchain nodes. This guide covers the core tools and configurations you'll need.
Before connecting to any blockchain node, you must install and configure the foundational command-line tools. The primary requirement is a secure shell (SSH) client. On macOS and Linux, ssh is typically pre-installed. Windows users should install Windows Subsystem for Linux (WSL) or use a dedicated client like PuTTY. You will also need scp (secure copy) for file transfers. Verify your installation by running ssh -V in your terminal to confirm the OpenSSH version.
Secure access is governed by SSH key pairs, not passwords. Generate a new 4096-bit RSA key pair using ssh-keygen -t rsa -b 4096. Store the private key (id_rsa) securely on your local machine with strict permissions (chmod 600). The public key (id_rsa.pub) is what you provide to node providers. For enhanced security, consider using the Ed25519 algorithm (ssh-keygen -t ed25519), which offers stronger security with smaller keys. Never share your private key or transmit it over a network.
Node providers like Chainscore, Alchemy, or Infura grant access via unique connection endpoints. You will typically receive a WebSocket (WSS) or HTTPS URL and an API key. For direct RPC nodes, you may get an IP address or hostname. Configure your local environment by setting these as variables: export RPC_URL="wss://eth-mainnet.g.alchemy.com/v2/YOUR_KEY". For development frameworks like Hardhat or Foundry, add this endpoint to your configuration file (e.g., hardhat.config.js). Always use environment variables to avoid committing secrets to version control.
To test your setup, use curl for HTTP RPC endpoints or a library like websocat for WebSockets. A basic health check is to call the eth_chainId method: curl -X POST $RPC_URL -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'. A successful response confirms network connectivity. For ongoing management, tools like tmux or screen are invaluable for running persistent node client sessions, and jq is essential for parsing JSON RPC responses directly in the terminal.
Implement network-level security by configuring a firewall. Use ufw (Uncomplicated Firewall) on Linux to allow only necessary ports (e.g., port 22 for SSH from your IP). For cloud-based nodes, configure security groups or VPC firewalls to restrict inbound traffic. Establish a routine for key rotation and audit access logs. Combining strong cryptographic keys, endpoint security, and network hardening creates a defense-in-depth strategy crucial for managing node infrastructure in production environments.
step-1-ssh-keys
SECURITY
Step 1: Configure SSH Key Authentication
SSH key authentication is the standard for secure, passwordless access to remote servers. This method is more secure than passwords and essential for managing blockchain nodes.
SSH (Secure Shell) key authentication uses a pair of cryptographic keys to verify your identity instead of a password. The private key stays securely on your local machine, while the public key is placed on the server you want to access. When you connect, the server uses your public key to create a challenge that can only be answered with your private key. This method is resistant to brute-force attacks and is the foundation for secure, automated access to node infrastructure.
To begin, you must generate a key pair on your local computer. Open a terminal and run ssh-keygen -t ed25519 -a 100. This command creates a new Ed25519 key, which is more secure and performant than older RSA keys. You'll be prompted to choose a save location (the default ~/.ssh/id_ed25519 is fine) and an optional passphrase. A passphrase adds an extra layer of security by encrypting your private key on disk.
Next, you need to copy your public key to your node. Use the ssh-copy-id command: ssh-copy-id -i ~/.ssh/id_ed25519.pub user@your_node_ip. Replace user with your server username and your_node_ip with the node's IP address. This command securely transfers your public key and appends it to the ~/.ssh/authorized_keys file on the server. If ssh-copy-id is unavailable, you can manually copy the contents of your id_ed25519.pub file and append them to that remote file.
After copying the key, test the connection by running ssh user@your_node_ip. If configured correctly, you will log in without a password (you may only need your key's passphrase). It is critical to disable password authentication on the server to prevent unauthorized access attempts. Edit /etc/ssh/sshd_config, set PasswordAuthentication no and PubkeyAuthentication yes, then restart the SSH service with sudo systemctl restart sshd.
For managing multiple nodes or keys, use an SSH agent. Start it with eval "$(ssh-agent -s)" and add your private key using ssh-add ~/.ssh/id_ed25519. The agent stores your decrypted key in memory, allowing you to connect to servers without re-entering your passphrase for each session. This is especially useful for scripts and automated deployment tools.
Always protect your private key (id_ed25519). Never share it, transmit it over insecure channels, or store it on cloud services without encryption. For team access, each member should generate their own key pair, and their public keys should be added to the server individually. This practice provides clear audit trails and allows for easy key revocation if a team member's access needs to be removed.
step-2-firewall-ufw
SECURITY
Step 2: Set Up a Firewall with UFW
Configure Uncomplicated Firewall (UFW) to restrict server access to only essential ports, creating a critical first line of defense for your blockchain node.
A firewall is a non-negotiable security layer for any internet-facing server. It acts as a gatekeeper, controlling which network traffic is allowed to reach your node based on predefined rules. For blockchain nodes, this is essential to prevent unauthorized access attempts, DDoS attacks, and exploitation of unnecessary open ports. We will use Uncomplicated Firewall (UFW), a user-friendly interface for the powerful iptables firewall, to implement a default-deny policy.
First, ensure UFW is installed. On Ubuntu/Debian systems, it is typically pre-installed. If not, install it with sudo apt update && sudo apt install ufw. Before enabling the firewall, we must set the default policies. The most secure configuration is to deny all incoming connections and allow all outgoing connections. This means your server can initiate outbound requests (e.g., to sync with peers) but will block all unsolicited inbound traffic. Set these defaults with:
bashsudo ufw default deny incoming sudo ufw default allow outgoing
Now, we define the specific exceptions to the default-deny rule. For a standard Ethereum execution client like Geth or Nethermind, you need to open port 30303 TCP/UDP for peer-to-peer discovery and communication. If you are running a consensus client (e.g., Lighthouse, Prysm), you will also need port 9000 TCP/UDP. For SSH access, which is mandatory for remote administration, open port 22. Use the following commands, replacing $PORT with the actual number:
bashsudo ufw allow 30303/tcp sudo ufw allow 30303/udp sudo ufw allow 22/tcp
Always verify the exact ports required by your specific client software.
After adding your rules, enable UFW with sudo ufw enable. The system will warn you that enabling the firewall may disrupt existing SSH connections. Since we've explicitly allowed port 22, this is safe. You can check the status and list all active rules with sudo ufw status verbose. This command shows the default policies and your configured allowances, confirming your node is now protected. For any future client changes, remember to update the firewall rules accordingly before restarting the service.
Important Note on Cloud Providers: If you are using a VPS from providers like AWS, Google Cloud, or DigitalOcean, they often have their own cloud firewall (Security Groups, Firewall Rules) in addition to the host-based UFW. You must configure both firewalls to allow traffic. A connection is only permitted if it passes through all applicable firewall layers. Misconfiguration here is a common cause of "node not syncing" issues, as the peer-to-peer ports remain blocked at the infrastructure level.
step-3-fail2ban-setup
SECURITY LAYER
Step 3: Install and Configure fail2ban
Protect your node from brute-force attacks by automatically banning malicious IP addresses.
fail2ban is an intrusion prevention software framework that monitors system logs for malicious activity, such as repeated failed SSH login attempts. When it detects a pattern of failures from a single IP address, it automatically updates the system's firewall rules to ban that IP for a specified duration. This is a critical security layer for any public-facing server, as SSH brute-force attacks are extremely common. Installing fail2ban significantly reduces the attack surface and unauthorized access attempts to your node.
To install fail2ban on Ubuntu/Debian systems, use the package manager. First, update your package list with sudo apt update. Then, install fail2ban using the command sudo apt install fail2ban -y. The installation includes a default configuration file at /etc/fail2ban/jail.conf. However, you should never edit this file directly, as it may be overwritten during package updates. Instead, create a local configuration file that overrides the defaults.
Create your local jail configuration by copying the default file: sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local. Now, edit the local file with your preferred text editor, such as sudo nano /etc/fail2ban/jail.local. The key parameters to configure are in the [DEFAULT] and [sshd] sections. You will adjust settings like bantime (how long an IP is banned), findtime (the time window for counting failures), and maxretry (the number of failures allowed).
A standard configuration for securing SSH might look like this in your jail.local file:
code[DEFAULT] # Ban IPs for 1 hour bantime = 3600 # Look for failures within the last 10 minutes findtime = 600 # Allow 5 retries before banning maxretry = 5 [sshd] enabled = true port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s
After saving the file, restart the fail2ban service with sudo systemctl restart fail2ban and enable it to start on boot with sudo systemctl enable fail2ban.
You can verify that fail2ban is running correctly with sudo systemctl status fail2ban. To check the current banned IP addresses, use the command sudo fail2ban-client status sshd. This will show you the jail's status and a list of banned IPs. For more detailed logging, you can monitor the fail2ban log file at /var/log/fail2ban.log. It's good practice to test the configuration by intentionally failing an SSH login from a test machine to see if the ban rule is triggered correctly.
While the default SSH jail is most critical, fail2ban can be extended to protect other services. For a blockchain node, you might create custom jails for the RPC port (e.g., port 8545 for Ethereum) or the P2P port if they are exposed. This involves creating a new filter to parse the service's log and defining a new jail in a separate .conf file within /etc/fail2ban/jail.d/. Properly configured, fail2ban acts as a silent guardian, automatically hardening your node against the most common network-based attacks.
NETWORK CONFIGURATION
Common Node Ports and Firewall Rules
Default ports and recommended firewall policies for major blockchain node clients to secure RPC, P2P, and metrics endpoints.
| Protocol / Service | Default Port | Purpose | Recommended Firewall Rule |
|---|---|---|---|
Ethereum Execution Client (Geth/Besu) | 8545 | HTTP JSON-RPC API | Restrict to localhost (127.0.0.1) or trusted IPs |
Ethereum Execution Client (Geth/Besu) | 30303 | Libp2p Network (P2P) | Allow from all (0.0.0.0/0) for node discovery |
Ethereum Consensus Client (Lighthouse/Prysm) | 5052 | Beacon Node HTTP API | Restrict to localhost (127.0.0.1) |
Ethereum Consensus Client | 9000 | Libp2p Network (P2P) | Allow from all (0.0.0.0/0) for peer connections |
Bitcoin Core | 8333 | Peer-to-Peer Network | Allow from all (0.0.0.0/0) for block propagation |
Bitcoin Core RPC | 8332 | JSON-RPC API | Restrict to localhost (127.0.0.1) only |
Solana Validator | 8000-8020 | TPU/TPU Forward/Gossip | Allow from all (0.0.0.0/0) for cluster participation |
Solana JSON-RPC | 8899 | Public RPC API | Restrict to specific IP range or use a reverse proxy |
Prometheus Node Exporter | 9100 | System Metrics | Restrict to monitoring server IP only |
Grafana | 3000 | Metrics Dashboard | Restrict to admin IPs or use VPN access |
step-4-monitoring-setup
SECURE ACCESS
Step 4: Implement Basic System Monitoring
Establish secure, auditable access to your node and configure foundational system monitoring to detect anomalies early.
Secure node access begins with disabling password-based SSH authentication in favor of cryptographic keys. Edit the SSH daemon configuration file at /etc/ssh/sshd_config and set PasswordAuthentication no and PermitRootLogin prohibit-password. This forces all connections to use SSH keys, eliminating the risk of brute-force attacks on passwords. Always use a strong passphrase for your private key. For team access, manage authorized keys centrally or use a bastion host to avoid distributing individual keys across multiple servers.
System monitoring provides the visibility needed to ensure node health and security. A minimal setup involves installing and configuring Prometheus for metrics collection and Grafana for visualization. First, install the Node Exporter agent on your server to gather system metrics like CPU, memory, disk I/O, and network usage. A basic Prometheus configuration prometheus.yml to scrape this data would include a job definition pointing to your node's IP and the Node Exporter's default port 9100.
For blockchain-specific monitoring, you need custom metrics. Many node clients like Geth, Erigon, and Consensus clients expose Prometheus-compatible metrics on a dedicated port (e.g., http://localhost:6060/debug/metrics/prometheus for Geth). Add these targets to your Prometheus configuration. In Grafana, you can then create dashboards to track critical signs: sync status, peer count, memory usage, disk space, and block propagation times. Setting alerts in Prometheus for thresholds like high memory usage or a dropping peer count allows for proactive intervention.
Log management is equally critical. Use journalctl to follow and query logs from your node's systemd service: journalctl -u geth -f --lines=100. For persistent, searchable logs, configure a log rotation service like logrotate and consider shipping logs to a centralized service like Loki or ELK Stack. This is essential for forensic analysis after an incident. Always ensure your monitoring stack itself is secured, not exposed to the public internet, and protected with authentication.
Finally, establish a routine check. While automated alerts are primary, manual verification catches nuanced issues. A simple bash script can check key health indicators: if curl -s http://localhost:8545 | grep -q jsonrpc; then echo "RPC OK"; else echo "RPC DOWN"; fi. Combine this with regular reviews of your Grafana dashboards and logs. This layered approach—secure access, comprehensive metric collection, actionable alerts, and log analysis—forms the foundation of reliable node operations.
security-tools-resources
NODE SECURITY
Security Tools and Resources
Essential tools and practices for establishing and maintaining secure access to blockchain nodes. These resources help mitigate risks like unauthorized access, data leaks, and network attacks.
NODE SECURITY
Troubleshooting Common Issues
Common problems and solutions for securing access to blockchain nodes, RPC endpoints, and validator infrastructure.
Rate limiting protects nodes from abuse and ensures service stability. Common causes include:
- Excessive request volume from a single IP or API key.
- Unoptimized queries like frequent
eth_getLogson large block ranges. - Shared infrastructure where multiple applications use the same credentials.
How to fix it:
- Implement client-side caching for static data (e.g., token names, contract ABIs).
- Batch requests using JSON-RPC's
batchmethod or libraries likeethers.multicall. - Use a dedicated node provider with higher rate limits (e.g., Chainstack, Alchemy, Infura Pro plans).
- Monitor usage via provider dashboards to identify and throttle high-frequency calls.
- For self-hosted nodes, adjust your client's (Geth, Erigon)
--rpc.gascapand--rpc.evmtimeoutflags to limit resource-intensive operations.
NODE SECURITY
Frequently Asked Questions
Common questions and troubleshooting steps for securely configuring and accessing blockchain nodes.
A node is the actual software client (like Geth, Erigon, or Prysm) that runs on a server, downloads the blockchain, validates transactions, and maintains the network's state. An RPC endpoint is the interface that allows external applications to communicate with that running node. It's the HTTP or WebSocket URL (e.g., https://your-node.com) that your dApp or wallet connects to in order to query data or submit transactions. Using a managed RPC service like Chainscore means you connect to their optimized, load-balanced endpoints instead of managing the underlying node infrastructure yourself.
conclusion-next-steps
SECURING YOUR INFRASTRUCTURE
Conclusion and Next Steps
This guide has covered the essential steps for establishing secure node access. The next phase involves operational hardening and proactive monitoring.
You have now configured SSH key-based authentication, set up a firewall, and created a non-root user. This baseline configuration significantly reduces your attack surface. However, security is an ongoing process. Your immediate next step should be to implement fail2ban to automatically block IP addresses after repeated failed login attempts. This is crucial for mitigating brute-force attacks. Install it with sudo apt install fail2ban (on Ubuntu/Debian) and configure the jail settings in /etc/fail2ban/jail.local. Regularly update your system packages with sudo apt update && sudo apt upgrade to patch known vulnerabilities.
For production environments, consider advanced configurations. Setting up a VPN like WireGuard or Tailscale for node access eliminates public SSH exposure entirely, creating a private mesh network. If public access is required, move your SSH daemon to a non-standard port and use port knocking (knockd) to hide the service until a specific sequence of connection attempts is made. For teams, implement a centralized authentication system using LDAP or configure SSH Certificate Authorities for issuing short-lived access certificates, which is more scalable and secure than distributing private keys.
Continuous monitoring is non-negotiable. Use tools like the auditd framework to log all authentication attempts and privilege escalations. Integrate logs with a SIEM (Security Information and Event Management) system or a centralized logging service like Grafana Loki. Set up alerts for suspicious activity, such as logins from unfamiliar geographic locations or attempts to access restricted files. Establish a routine checklist: review user accounts, verify firewall rules, check for unauthorized processes, and ensure backups of critical configuration files like /etc/ssh/sshd_config are current and tested.