🔐Securing SSH Access
Validator Node Operator Security with SSH
Securing Your Validator Node in an Open Internet Environment
In traditional, centralized server infrastructures, critical systems that require direct internet access are protected by layered security controls.
These environments typically include a full suite of professionals; System Administrators, Site Reliability Engineers, Network Engineers, Security Engineers, and others. These experienced professionals are responsible for hardening systems and defending them from external threats.
This security model often includes:
Firewalls
Intrusion Detection and Prevention Systems (IDS/IPS)
Email spam filters
Endpoint protection
Credential management systems
These measures are in place to prevent unauthorized access, data breaches, or misuse of system resources.
🚨 Why Node Operators Must Be Extra Cautious
Unlike enterprise-grade infrastructure, as a Constellation Node Validator Operator, you're responsible for a single VPS instance that connects directly to the public internet, often without intermediary security devices or professional oversight.
This makes your system a high-value target for attackers. Once compromised, malicious actors can:
Steal your wallet credentials
Hijack your node resources
Use your system as a pivot point to exploit other services
To prevent this, you must manually enforce best-practice security configurations.
🛡️ Security Measures You Must Implement
Disable Root Login for SSH
Disable root-level SSH access to ensure only limited, authorized accounts can initiate remote sessions.
The nodectl utility will automatically configure basic SSH restrictions, including disabling root login and enabling IP-based access control.
However, you must manually obtain and configure your IP address during the firewall setup process to complete this protection.
Use a custom port to obscure your SSH connection
Since our only way to connect to the VPS (unless we are advanced experts) is through the Internet, it's important to take precautions. To prevent malicious actors from "sniffing" the default TCP port used for SSH connections, we should change it to a non-well-known port above 1024.
🌍 Determining Your Public IP Address
When defining firewall rules to restrict access to your VPS, you’ll need to specify your current public IPv4 address.
Steps:
Open your web browser.
Navigate to: https://www.whatismyip.com
Look for the section labeled "My Public IPv4:"
Record this IP address. This is the address you’ll allow through your VPS firewall.
🔁 Repeat this process for each trusted location from which you plan to access your node (e.g., home, office, mobile hotspot).
📱 Accessing Your Node From Mobile Devices
If you plan to use mobile apps to connect to your VPS:
Be aware that mobile IP addresses often change and are part of large, dynamic subnet ranges.
For security, avoid allowing full open access unless absolutely necessary.
Alternatively, you can configure two firewall rule sets:
Locked-down mode (only allows known IPs)
Travel mode (temporarily opens access when you’re on the move)
Subnet-based access control from mobile networks is more advanced and outside the scope of this document. Only use this approach if you understand the implications.
By proactively applying these security best practices, you help safeguard your node from attacks and maintain your reliability as a participant in the Constellation Network.
Last updated
Was this helpful?