search
IntroductionFundamentalsNode Validators

🔐Securing SSH Access

Validator Node Operator Security with SSH

hashtag
Securing Your Validator Node in an Open Internet Environment

In traditional, centralized server infrastructures, critical systems that require direct internet access are protected by layered security controls.

These environments typically include a full suite of professionals; System Administrators, Site Reliability Engineers, Network Engineers, Security Engineers, and others. These experienced professionals are responsible for hardening systems and defending them from external threats.

hashtag
This security model often includes:

  • Firewalls

  • Intrusion Detection and Prevention Systems (IDS/IPS)

  • Email spam filters

  • Endpoint protection

  • Credential management systems

These measures are in place to prevent unauthorized access, data breaches, or misuse of system resources.

hashtag
🚨 Why Node Operators Must Be Extra Cautious

Unlike enterprise-grade infrastructure, as a Constellation Node Validator Operator, you're responsible for a single VPS instance that connects directly to the public internet, often without intermediary security devices or professional oversight.

This makes your system a high-value target for attackers. Once compromised, malicious actors can:

  • Steal your wallet credentials

  • Hijack your node resources

  • Use your system as a pivot point to exploit other services

To prevent this, you must manually enforce best-practice security configurations.

hashtag
🛡️ Security Measures You Must Implement

1

hashtag
Restrict SSH Access by IP address

Only allow inbound SSH access from specific IP addresses (e.g., your home, office, or trusted remote locations). This significantly reduces the risk of unauthorized login attempts.

2

hashtag
Use Cloud Providers With External Firewall Features

Choose a VPS provider that offers built-in firewall configuration options at the account or project level.

3

hashtag
Disable Root Login for SSH

Disable root-level SSH access to ensure only limited, authorized accounts can initiate remote sessions.

circle-check

The nodectl utility will automatically configure basic SSH restrictions, including disabling root login and enabling IP-based access control. However, you must manually obtain and configure your IP address during the firewall setup process to complete this protection.

4

hashtag
Protect SSH Keys With Strong Passphrases

Always secure your private keys with strong, unique passphrases.

5

hashtag
Use a custom port to obscure your SSH connection

Since our only way to connect to the VPS (unless we are advanced experts) is through the Internet, it's important to take precautions. To prevent malicious actors from "sniffing" the default TCP port used for SSH connections, we should change it to a non-well-known port above 1024.

hashtag
🌍 Determining Your Public IP Address

When defining firewall rules to restrict access to your VPS, you’ll need to specify your current public IPv4 address.

Steps:

  1. Open your web browser.

  2. Navigate to: https://www.whatismyip.comarrow-up-right

  3. Look for the section labeled "My Public IPv4:"

  4. Record this IP address. This is the address you’ll allow through your VPS firewall.

🔁 Repeat this process for each trusted location from which you plan to access your node (e.g., home, office, mobile hotspot).

hashtag
📱 Accessing Your Node From Mobile Devices

If you plan to use mobile apps to connect to your VPS:

  • Be aware that mobile IP addresses often change and are part of large, dynamic subnet ranges.

  • For security, avoid allowing full open access unless absolutely necessary.

  • Alternatively, you can configure two firewall rule sets:

    • Locked-down mode (only allows known IPs)

    • Travel mode (temporarily opens access when you’re on the move)

triangle-exclamation

Subnet-based access control from mobile networks is more advanced and outside the scope of this document. Only use this approach if you understand the implications.

By proactively applying these security best practices, you help safeguard your node from attacks and maintain your reliability as a participant in the Constellation Network.

PreviousUpload SSH Public KeyNextHow to SSH into VPS

Last updated

Was this helpful?