Table of Contents
In order to have your node join the swarm (or even function properly), you need to expose a couple of ports. The set up depends on whether you use an external firewall (or NAT), such as AWS or hosting at home, or rely on the node's own firewall to secure it (most VPS-services). If you do not want to join the authority set, only port 8110 needs to be opened to the public.
External firewall / NAT
No firewall needs to be configured on the node itself, but it can still be set up for added security in case your external firewall gets compromised. You need to allow access to port 2376, 2222 and 8088 ONLY TO 184.108.40.206. Failure to do this properly can compromise your node. Port 8090 to public is beneficial for testnet debugging. Port 8110 is required to be open to the public, this is the port the network communicates on. The steps to do this varies greatly by your individual set up (NAT or not, firewall/router model, etc..)
In order to join the swarm, first ensure that your firewall rules allow access on the following ports. All swarm communications occur over a self-signed TLS certificate. Due to the way iptables and docker work you cannot use the
INPUT chain to block access to apps running in a docker container as it's not a local destination but a
FORWARD destination. By default when you map a port into a docker container it opens up to
any host. To restrict access we need to add our rules in the
DOCKER-USER chain reference.
- TCP port
220.127.116.11for secure Docker engine communication. This port is required for Docker Machine to work. Docker Machine is used to orchestrate Docker hosts. As this is a local service we use the
In addition, the following ports must be opened for factomd to function which we add to the
18.104.22.168, which is the SSH port used by the
22.214.171.124, the factomd API port
0.0.0.0, the factomd Control panel
- Keeping this open to the world is beneficial on testnet for debugging purposes
0.0.0.0, the factomd testnet port
An example using
sudo iptables -A INPUT ! -s 126.96.36.199/32 -p tcp -m tcp --dport 2376 -m conntrack --ctstate NEW,ESTABLISHED -j REJECT --reject-with icmp-port-unreachable sudo iptables -A DOCKER-USER ! -s 188.8.131.52/32 -i <external if> -p tcp -m tcp --dport 8090 -j REJECT --reject-with icmp-port-unreachable sudo iptables -A DOCKER-USER ! -s 184.108.40.206/32 -i <external if> -p tcp -m tcp --dport 2222 -j REJECT --reject-with icmp-port-unreachable sudo iptables -A DOCKER-USER ! -s 220.127.116.11/32 -i <external if> -p tcp -m tcp --dport 8088 -j REJECT --reject-with icmp-port-unreachable sudo iptables -A DOCKER-USER -p tcp -m tcp --dport 8110 -j ACCEPT
<external if> with the name of the interface you use to connect to the internet eg. eth0 or ens0. To see interfaces use
ip addr list
Don't forget to save the rules!
Harden SSH Access
1. Create an authentication key-pair
This is done on your local computer, not your node, and will create a 4096-bit RSA key-pair. During creation, you will be given the option to encrypt the private key with a passphrase. This means that it cannot be used without entering the passphrase, unless you save it to your local desktop’s keychain manager. We suggest you use the key-pair with a passphrase, but you can leave this field blank if you don’t want to use one.
ssh-keygen -b 4096
Press Enter to use the default names
/home/your_username/.ssh before entering your passphrase.
Now copy your key to your node (replace the username and ip with appropriate values)
ssh-copy-id [email protected]
Exit and log back in to your node. If you specified a passphrase, you need to enter it here.
Download and install PuTTy (use the MSI installer as it includes puttygen) https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
Select RSA and increase to a 4096-bits key in the bottom right field and generate a key. Type in a passphrase (optional, recommended). Now save your keys.
Now copy the entire public key, it starts with
ssh-rsa and ends with
== followed by the key comment. On your node, create your .ssh folder if it does not already exist. Now create and/or edit the file
./ssh/authorized_keys and paste your key here.
The next time you use PuTTy to connect, go to your Connection -> SSH -> Auth setting and browse to the PRIVATE key you saved earlier. Save the connection and try to connect. You should now be able to connect using your SSH key instead of password.
2. SSH Daemon options
Edit /etc/ssh/sshd_config using your favorite editor:
sudo nano /etc/ssh/sshd_config
Below are a handful of settings we recommend setting:
AddressFamily inet # listen only on IPv4 PermitRootLogin no # the most important setting, do not allow root login PasswordAuthentication no # disable password login PubkeyAthentication yes # enable keypair login AuthorizedKeysFile .ssh/authorized_keys # keyfile location