Constellation Network
IntroductionFundamentalsFor DevelopersNode Validators
  • Index
  • Validator Node Guides
    • πŸ’°Delegated Staking
      • What is delegated staking?​
      • For Node Operators
      • Understanding Delegated Staking
      • Prerequisites
      • Create Delegated Staking Configuration
      • First Time Configuration
      • Modify Existing Configuration
      • Add/Update Delegating Staking Parameters
      • Update Delegated Staking
      • Duplicate Update
      • Status Command
    • 🚧Build Your Node
      • Create Discord Account
      • πŸ—’οΈNode Operator Notes
      • βš™οΈNode Specifications
      • 🚧Generic Build a VPS Guide
      • ☁️Cloud Provider Specific
        • 🚧Build AWS EC2 Instance
        • 🚧Build DigitalOcean Droplet
        • 🚧Build Hetzner Server
      • πŸš‰First Time Connection Guide
      • πŸ’½The nodectl utility
      • Download nodectl
      • πŸ—οΈTurn your VPS into a Node
        • 🚩Node Prerequisites
        • πŸ‡Quick Install Guide
        • 🎨Normal Install Guide
        • πŸ› οΈManual Installation
      • πŸ†Authorize to Join Hypergraph or metagaph
    • πŸ’°Collateralize Your Node
    • 1️⃣First Time Cluster Connection
    • πŸ’«Enable Auto Restart
    • πŸ“‚Operational Guides
      • ♻️Restart Validator Node Guide
      • 🐎Upgrade Tessellation Quick Start
      • 🏭Upgrade Tessellation Guide
      • πŸ—οΈReinstallation Guide
      • ♻️Backup/Restore a P12 KeyStore
      • πŸš‹Migrate V1 to V2 - P12 Keystore
      • πŸ›«Upgrade nodectl Version
      • 🚨Alerting & Reporting Setup Guide
    • πŸ› οΈTroubleshooting Guides
      • πŸ—οΈTroubleshoot SSH Connection
      • πŸ’½Troubleshoot nodectl upgrade
      • ⛰️Troubleshoot EdgePointDown Message
      • 🚨Troubleshoot Node Alerting
  • πŸ‘‘MainNet
    • MainNet & IntegrationNet Quick Start Guide
    • 🚧Upgrade Tessellation to v3
    • 🦌Migrate an IntegrationNet Node to MainNet
  • πŸ₯…IntegrationNet
    • πŸ§ͺIntegrationNet Quick Start Guide
  • Metagraphs
    • πŸšͺDor metagraph
      • πŸšͺDor Validator Onboard Guide
      • πŸšͺUnderstanding Rewards
      • πŸšͺTechnical Procedures
        • πŸšͺBuild Dor Validator Node
  • πŸ“šReferences
    • πŸ“šnodectl Command Reference
    • Firewall Settings Table
    • πŸ”SSH Remote Access
      • πŸ”‘Create SSH Keys
      • πŸ“Upload SSH Public Key
      • πŸ”Securing SSH Access
      • ♻️How to SSH into VPS
    • 🍴Node Fork Types
    • πŸ—οΈP12 Keystore
    • 🏐Tarball
    • πŸ’»Virtual Private Server
  • GitHub nodectl utility
  • Lattice Dashboard
Powered by GitBook

Main

  • Website
  • Get DAG
  • Explore Projects
  • Partners

Socials

  • Telegram
  • Discord
  • X (Twitter)

Tools

  • Wallet
  • DAG Explorer
  • Coingecko

Β© 2025 CONSTELLATION NETWORK

On this page
  • Securing Your Validator Node in an Open Internet Environment
  • 🚨 Why Node Operators Must Be Extra Cautious
  • πŸ›‘οΈ Security Measures You Must Implement
  • 🌍 Determining Your Public IP Address
  • πŸ“± Accessing Your Node From Mobile Devices

Was this helpful?

Export as PDF
  1. References
  2. SSH Remote Access

Securing SSH Access

Validator Node Operator Security with SSH

Securing Your Validator Node in an Open Internet Environment

In traditional, centralized server infrastructures, critical systems that require direct internet access are protected by layered security controls.

These environments typically include a full suite of professionals; System Administrators, Site Reliability Engineers, Network Engineers, Security Engineers, and others. These experienced professionals are responsible for hardening systems and defending them from external threats.

This security model often includes:

  • Firewalls

  • Intrusion Detection and Prevention Systems (IDS/IPS)

  • Email spam filters

  • Endpoint protection

  • Credential management systems

These measures are in place to prevent unauthorized access, data breaches, or misuse of system resources.


🚨 Why Node Operators Must Be Extra Cautious

Unlike enterprise-grade infrastructure, as a Constellation Node Validator Operator, you're responsible for a single VPS instance that connects directly to the public internet, often without intermediary security devices or professional oversight.

This makes your system a high-value target for attackers. Once compromised, malicious actors can:

  • Steal your wallet credentials

  • Hijack your node resources

  • Use your system as a pivot point to exploit other services

To prevent this, you must manually enforce best-practice security configurations.


πŸ›‘οΈ Security Measures You Must Implement

1

Restrict SSH Access by IP address

Only allow inbound SSH access from specific IP addresses (e.g., your home, office, or trusted remote locations). This significantly reduces the risk of unauthorized login attempts.

2

Use Cloud Providers With External Firewall Features

Choose a VPS provider that offers built-in firewall configuration options at the account or project level.

3

Disable Root Login for SSH

Disable root-level SSH access to ensure only limited, authorized accounts can initiate remote sessions.

The nodectl utility will automatically configure basic SSH restrictions, including disabling root login and enabling IP-based access control. However, you must manually obtain and configure your IP address during the firewall setup process to complete this protection.

4

Protect SSH Keys With Strong Passphrases

Always secure your private keys with strong, unique passphrases.

5

Use a custom port to obscure your SSH connection


🌍 Determining Your Public IP Address

When defining firewall rules to restrict access to your VPS, you’ll need to specify your current public IPv4 address.

Steps:

  1. Open your web browser.

  2. Look for the section labeled "My Public IPv4:"

  3. Record this IP address. This is the address you’ll allow through your VPS firewall.

πŸ” Repeat this process for each trusted location from which you plan to access your node (e.g., home, office, mobile hotspot).


πŸ“± Accessing Your Node From Mobile Devices

If you plan to use mobile apps to connect to your VPS:

  • Be aware that mobile IP addresses often change and are part of large, dynamic subnet ranges.

  • For security, avoid allowing full open access unless absolutely necessary.

  • Alternatively, you can configure two firewall rule sets:

    • Locked-down mode (only allows known IPs)

    • Travel mode (temporarily opens access when you’re on the move)

Subnet-based access control from mobile networks is more advanced and outside the scope of this document. Only use this approach if you understand the implications.


By proactively applying these security best practices, you help safeguard your node from attacks and maintain your reliability as a participant in the Constellation Network.

PreviousUpload SSH Public KeyNextHow to SSH into VPS

Last updated 22 days ago

Was this helpful?

Since our only way to connect to the VPS (unless we are advanced experts) is through the Internet, it's important to take precautions. To prevent malicious actors from "sniffing" the default TCP port used for SSH connections, we should .

Navigate to:

πŸ“š
πŸ”
πŸ”
https://www.whatismyip.com
change it to a non-well-known port above 1024