Selecting and setting up a virtual private server (VPS) for your node
UPDATE: I have now spun up a dedicated server from Hetzner. While I continued to see more than acceptable performance from my Contabo VPS, I wanted to compare their performance. My inclination is to go with the dedicated server from Hetzner as it provides more robust hardware for not too much more money. Most of the guide below still applies to a dedicated server, however there are additional steps and factors to consider. If I stick with Hetzner, I will try and write a companion guide.
Introduction
This guide is intended for Windows (should apply to Mac for the most part) users that have limited to no experience with Linux command line. I had almost no experience with the Linux command line interface (CLI) when I ran my first Rocket Pool node during a beta. While I am technically minded, I needed something to get me started and help me do more than the bare minimum with my node. This guide will get your server up and running with some basic configuration and tools added to help get you off to a solid start. From there you’ll want to do more research and experimentation to build on this foundation.
While the guide (at least the first two sections) is focused on Contabo as the VPS provider, it should be relevant to most other providers. I encourage you to research your own providers and decide what works best for you. During your research you’ll see some mixed reviews of Contabo. In some cases, It is hard to tell if these users had properly sized their VPS and if the issues were related to Contabo. I find Contabo to be an excellent value, but there are other options out there. During the three Rocket Pool betas I participated in my performance was solid. I utilized support on one occasion, and they were fast and friendly to work with.
I would suggest you avoid AWS to increase decentralization. I also think AWS will be too expensive overall. Hetzner dedicated servers seem like another good option, just keep in mind disk space requirements when thinking about another provider. I’ve also considered Netcup as another option and may try them out. If you want to see what others are running on Mainnet, you can see stats here. If you’ve used a VPS provider, I’d be interested to hear about your experience.
DISCLAIMER: If it wasn’t clear already, this is not an endorsement of one VPS provider over another. In fact, this isn’t even an endorsement of using a VPS for your Rocket Pool node. You should understand that the need to upgrade your server or switch providers may arise and you’ll need to be able to handle that situation. You’ll also need to be comfortable with the penalties (note that this is different from slashing) that would be incurred during extended downtime. When possible, one should consider running their own hardware.
Credits
Credits: I first used kalikoffo’s guide to setup my VPS during an early Rocket Pool beta. This guide is based heavily on his hard work.
I also need to thank the Linux community. Whenever I ran into an issue or wanted to dig deeper into a topic, what I needed was just a google search away,
Selecting your VPS
For beta participation I selected a VPS M SSD for $6.99 a month. This was more than sufficient to achieve effectiveness rates in the 98–100% range while running five minipools. You will want something more robust and with more storage for use on Mainnet. My choice for Prater Testnet and then Mainnet is a VPS XL SSD. This assumes I see the desired performance while running and stress testing on Prater. This should provide enough storage (may need to employ some form of space management/pruning) and overall resources to achieve solid performance. I’ll be sure to provide an update once I see real world performance. Again, do your own research and evaluate your needs. Contabo also offers virtual dedicated and fully dedicated servers.
After selecting a VPS, you’ll be prompted to select your region. I suggest picking a location closest to you. They now have 3 data centers in the US along with locations in Germany and Singapore. You’ll also want to select an image or OS. You can pick from several different Linux distributions. I use Ubuntu 20.04 as I find there are more readily available guides and how-tos on the internet for novice users. All other options are left as default.
You’ll then complete the rest of the checkout steps. Last time I calculated costs I found it was less expensive to pay in Euros (as someone in the US) and use a credit card with no foreign transaction fees. You’ll want to check this out for yourself.
Initial Configuration
You should have received or login credentials in an email from Contabo Support once your order is fulfilled and server provisioned. In my experience this was usually done within 30 minutes, but I’ve seen reports of it taking as long as a day.
Head on over to https://my.contabo.com/account/login and login with your account credentials (you probably created this when you purchased the server). I have 2FA enabled for my account and I’d encourage you to do the same. Once logged in, look around and then navigate to VPS control.
From here you’ll want to click manage and then change the password for the root user to something unique and strong. Note that this is not the password associated with your Contabo account. I also encourage you to disable VNC for your server. You’ll be using SSH to remotely access, configure and monitor your server. For this you’ll need a terminal client. I use PuTTY https://www.putty.org/
Logging in for the First Time
Open PuTTY and use the information provided in the email from Contabo Support to set options. You’ll want to save the session detail to speed up future logins. You may want to update other configuration settings based on your individual needs. A Google search can aid here as necessary.
Once configured, click Open and, if configured correctly, you should be presented with the following screen. Input root as the user and the password you set in the earlier step. If you used a strong password as suggested, you’ll want to copy this and paste it in. You’ll use SHIFT+Insert to paste into the PuTTY client window.
Once logged in you should see a screen like the following. Root is the superuser and has access to do almost everything on your server. In a later step we’ll create an account with more limited access, but for now we’ll start with some basic configuration.
Updating the Server
We’ll start by ensuring the server is fully updated. For this task we’ll be using the apt package manager which will automatically download updates from the package repository. Keep in mind that commands in Linux are case sensitive. Most are lowercase by default. Enter the following command:
sudo apt update
sudo apt upgrade -y
You may see that your system is already updated or a message similar to the above.
Install Additional Tools
Now we’ll install some application packages that will make administering and monitoring our server a little easier. This is optional, but these tools will help make running your server easier. Paste in the following command:
apt -y install mc locate wget curl htop sudo
The command installs the following packages (note that -y executes the command without further prompts/uses defaults). If you’d like, each of the following can be ran individually or you can remove (not install) as you see fit.
mc -Midnight Commander is a visual file manager. This makes it easier (and to an extent, safer) to manage files and directories when compared to using the command line. More at https://linuxcommand.org/lc3_adv_mc.php
locate — useful to find files in system https://linuxize.com/post/locate-command-in-linux/
wget — used to retrieve content and files from web servers
curl — works similar to wget. I install both as you may utilize references that use one or the other. For a discussion on differences, see https://unix.stackexchange.com/questions/47434/what-is-the-difference-between-curl-and-wget
htop — interactive process-viewer (resource monitor) and process-manager for Linux. This enhances top, the default command line utility used for the same purpose. If you really want to amp up your ability to monitor your server, see my guide on Netdata here (link to be added)
sudo — lets enabled users perform root tasks. You’ll see how this is used later. Installed by default on most Linux distros, this is here to cover bases.
You can review the command’s output for any errors if desired. Try out htop if you’d like to see your server’s current performance. Exit with Ctrl-C
Customize Server’s Hostname
From here we can change our server’s default hostname if you’d like. Note, if you perform this step after logging in as the admin user we’ll create below, you’ll need to execute the command as sudo.
mcedit /etc/hostname
Delete what’s there and enter what you’d like your hostname to be. Hit F2 to save and ESC to exit.
Now, to ensure that the name resolves, we’ll need to edit our host file
sudo mcedit /etc/hosts
Edit the line with the ip address (under the black line in this example) to include only it and the hostname you set in the previous step. F2 to save, ESC to exit.
Add a New User
Now let’s add a new user that doesn’t have all the privileges that root does. This user can be named whatever you’d like. In this example, we’re using admin.
adduser admin
You’ll be prompted to enter a password. Again, use a strong password that is different from that you set for root. I use a password manager to generate my secure passwords. You’ll also be prompted to enter details for the user, such as name. Enter what you’d like or nothing at all.
Now we want to add the new user to our sudo group, which allows it to perform root tasks but with a prompt for password of the admin user. This helps ensure software applications don’t have more access than necessary and that an admin doesn’t perform unintentional commands.
usermod -aG sudo admin
Restart the Server
Now it is time for a restart so all the changes we’ve made can take effect
init 6
Init 6 works like the reboot command but is more graceful as It runs shutdown scripts before rebooting.
init 6 tells the init process to shutdown all of the spawned processes/daemons as written in the init files (in the inverse order they started) and lastly invoke the shutdown -r now command to reboot the machine
We’ll now need to restart the session. Give the server 30 seconds or so to restart.
This time login with admin and the password you set. Ideally this strong password is stored in your password manager. In later steps you can switch to using SSH keys entirely for authentication. This will allow you to disable password authentication. I highly encourage you to consider this important security measure.
Congrats! Now you’re ready to pick things up in the Rocket Pool node operators guide. Pick the most recent documentation that’s relevant to your use (test vs. main). Once everything is installed and running, come back here and we’ll do some follow-up. Maybe come back when your eth1 and eth2 clients are synching. If you prefer, you can continue straight through and not install Rocket Pool at this time.
___________________________________________________________________
Further Configuration
Did you eat a sandwich, drink some coffee or a beer? I hope you took a well-deserved break after all of that work! Now let’s get back to setting up your VPS. If not already, log in to your server via SSH.
Keeping your time synchronized
Time synchronization is an important part of keeping your system clock up to date and configuring time zones correctly. Further, accurate time is critical when running a validator node. Accurate time will help ensure solid performance and effectiveness of your node. Time synch should work “out of the box” for most Linux distributions, but it is important to know how to confirm things are running as they should. For more on this topic, please see this article.
This article does an excellent job of covering the topic of time synchronization. It goes into greater depth than most node operators will need, but it also covers the basics necessary to confirm your server’s clock is in the right time zone and accurately synchronized.
If you experience trouble with time synchronization, I suggest checking out and installing chrony.
Add an alias for rocket pool command
Rather than always typing “rocketpool” to interact and issue Rocket Pool-related commands, I added an alias which has allowed me to enter “rp” instead. This is how you make a persistent alias.
mcedit ~/.bashrc
Scroll down to where existing aliases are already entered. I create a new section “#DK Aliases” and enter the rp alias as shown below.
Save and exit. To load the changes and make the alias available, issue the following command
source ~/.bashrc
If you want to make your .bashrc more modular you can store your aliases in a separate alias file. Some distributions like Ubuntu and Debian include a .bash_aliases file, which is sourced from the ~/.bashrc. Unless you’re going to create a lot of aliases, this step probably isn’t necessary.
Netdata Guide
Earlier in this guide we installed htop. Issue the htop command to view the performance of your server. However, if you really want to increase the monitoring capabilities with things like historical performance visualization and alerting, I encourage you to check out Netdata. Head on over to my guide which quickly covers the easy steps to get up and running with Netdata.
Htop running on my server
Security
Please note, this not meant to be a complete guide on security. Detailed below are some initial steps you can take to better secure your server. You should conduct additional research and keep up to date with changes and vulnerabilities. Further, you also want to follow other best practices related to your seed phrase, passwords, wallets, etc.
Rocket Pool docs on security
I highly encourage you to review the Rocket Pool documentation on securing your node. It outlines several security measures you can (and should) take to increase your node’s operational security. These steps include the important steps of using SSH keys and disabling password access.
Changes SSH port
By changing the SSH port from the default of 22, you can make it harder for malicious actors to use bots to scan for open ports and determine what’s running and accessible on the server. This is referred to as security through obscurity. Issue the following command to edit the relevant config file:
sudo mcedit /etc/ssh/sshd_config
To change the port used for SSH, you’ll want to uncomment (remove the #) in front of the #Port 22 line. Change it to something above 20000 as this should avoid conflicts. e.g. 24200. F2 to save, F10 to quit.
Make sure you remember and accurately enter the new port. You’ll need to use this port to log back in. Now we need to restart the associated services. Issue the following commands:
sudo systemctl restart ssh.service
sudo systemctl restart sshd.service
You may get kicked out when restarting these services. Log back in and, in either case, remember to update your SSH port and save the config in PuTTY/whatever SSH client you’re using.
To view status of the services
sudo systemctl status ssh.service
sudo systemctl status sshd.service
Fail2ban
This step is covered in the Rocket Pool documentation linked above but I wanted to include a little more detail.
Faile2ban scans log files and bans IPs that show signs of malicious activity, such as too many failed login attempts, exploit seeking, etc. More info here — https://www.fail2ban.org/wiki/index.php/Main_Page
Install Fail2ban
sudo apt -y install fail2ban
Customize Faile2ban
sudo mcedit /etc/fail2ban/jail.conf
Above is the config file for Fail2ban. Within this file you can customize how long potential malicious activity is banned (bantime), number of failed attempts (maxretry), etc. Here’s the manual for Ubuntu. You can find man pages for other distros by doing a Google search.
When editing Linux configuration files, any line prefaced with a # are comments or commands that have been disabled (commented out). You can scroll through the file and make edits where you see fit. Changes to consider include increasing bantime, increase or decrease maxretry, etc. The more aggressive you configure Fail2ban, the more careful you’ll need to be to not lock yourself out.
To save changes, F2 and then F10 to quit. For changes to take effect, you’ll want to restart the service.
sudo systemctl restart fail2ban.service
To view the status of the fail2ban service, issue the following command
sudo systemctl status fail2ban.service
Conclusion
I hope you found this guide helpful. I am pretty new to this myself, so feedback is welcome and encouraged. As stated in the guide, you’ll want to continue your Ethereum, Rocket Pool and Linux education. I also encourage you to do things to try and break your server while running on a testnet. Make configuration changes, update the Rocket Pool stack and your server — anything you’ll have to do while running your server on Mainnet, you’ll want to have practiced while testing.
