# Securing SSH Access

## **Securing Your Validator Node in an Open Internet Environment**

In traditional, **centralized server infrastructures**, critical systems that require direct internet access are protected by layered security controls.&#x20;

These environments typically include a full suite of professionals; System Administrators, Site Reliability Engineers, Network Engineers, Security Engineers, and others.  These **experienced professionals** are responsible for **hardening** systems and defending them from external threats.

#### This security model often includes:

* Firewalls
* Intrusion Detection and Prevention Systems (IDS/IPS)
* Email spam filters
* Endpoint protection
* Credential management systems

These measures are in place to prevent **unauthorized access**, **data breache**s, or **misuse of system resources**.

***

## 🚨 Why Node Operators Must Be Extra Cautious

Unlike enterprise-grade infrastructure, as a **Constellation Node Validator Operator**, you're responsible for a **single VPS instanc**e that connects <mark style="color:red;">**directly to the public internet**</mark>, often without intermediary security devices or professional oversight.

This makes your system a high-value target for attackers. Once compromised, malicious actors can:

* Steal your wallet credentials
* Hijack your node resources
* Use your system as a pivot point to exploit other services

To prevent this, you must **manually enforce best-practice security** configurations.

***

## 🛡️ Security Measures You Must Implement

{% stepper %}
{% step %}

### Restrict SSH Access by IP address

Only allow inbound SSH access from **specific IP addresses** (e.g., your home, office, or trusted remote locations). This significantly reduces the risk of unauthorized login attempts.
{% endstep %}

{% step %}

### **Use Cloud Providers With External Firewall Features**

Choose a VPS provider that offers built-in firewall configuration options at the account or project level.
{% endstep %}

{% step %}

### **Disable Root Login for SSH**

Disable root-level SSH access to ensure only limited, authorized accounts can initiate remote sessions.

{% hint style="success" %}
The `nodectl` utility will automatically configure basic SSH restrictions, including disabling root login and enabling IP-based access control.\
However, you must **manually obtain and configure your IP address** during the firewall setup process to complete this protection.
{% endhint %}
{% endstep %}

{% step %}

### **Protect SSH Keys With Strong Passphrases**

Always secure your private keys with strong, unique passphrases.
{% endstep %}

{% step %}

### Use a custom port to obscure your SSH connection

Since our only way to connect to the VPS (unless we are advanced experts) is through the Internet, it's important to take precautions. To prevent malicious actors from "sniffing" the default TCP port used for SSH connections, we should [change it to a non-well-known port above 1024](/run-a-node/legacy/nodectl-command-reference.md#change_ssh_port).
{% endstep %}
{% endstepper %}

***

## 🌍 Determining Your Public IP Address

When defining firewall rules to restrict access to your VPS, you’ll need to specify your **current public IPv4 address**.

**Steps:**

1. Open your web browser.
2. Navigate to: [https://www.whatismyip.com](https://www.whatismyip.com/)
3. Look for the section labeled **"My Public IPv4:"**
4. Record this IP address.  *This is the address you’ll allow through your VPS firewall.*

> 🔁 Repeat this process for each trusted location from which you plan to access your node (e.g., home, office, mobile hotspot).

***

## 📱 Accessing Your Node From Mobile Devices

If you plan to use mobile apps to connect to your VPS:

* Be aware that mobile IP addresses often change and are part of large, dynamic subnet ranges.
* For security, **avoid allowing full open access** unless absolutely necessary.
* Alternatively, you can configure **two firewall rule sets**:
  * **Locked-down mode** (only allows known IPs)
  * **Travel mode** (temporarily opens access when you’re on the move)

{% hint style="danger" %}
&#x20;Subnet-based access control from mobile networks is more advanced and **outside the scope of this document**. Only use this approach if you understand the implications.
{% endhint %}

***

By proactively applying these security best practices, you help safeguard your node from attacks and maintain your reliability as a participant in the Constellation Network.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.constellationnetwork.io/run-a-node/references/ssh-remote-access/securing-ssh-access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.