Securing SSH Access

Validator Node Operator Security with SSH

Securing Your Validator Node in an Open Internet Environment

In traditional, centralized server infrastructures, critical systems that require direct internet access are protected by layered security controls.

These environments typically include a full suite of professionals; System Administrators, Site Reliability Engineers, Network Engineers, Security Engineers, and others. These experienced professionals are responsible for hardening systems and defending them from external threats.

This security model often includes:

Firewalls
Intrusion Detection and Prevention Systems (IDS/IPS)
Email spam filters
Endpoint protection
Credential management systems

These measures are in place to prevent unauthorized access, data breaches, or misuse of system resources.

🚨 Why Node Operators Must Be Extra Cautious

Unlike enterprise-grade infrastructure, as a Constellation Node Validator Operator, you're responsible for a single VPS instance that connects directly to the public internet, often without intermediary security devices or professional oversight.

This makes your system a high-value target for attackers. Once compromised, malicious actors can:

Steal your wallet credentials
Hijack your node resources
Use your system as a pivot point to exploit other services

To prevent this, you must manually enforce best-practice security configurations.

🛡️ Security Measures You Must Implement

Restrict SSH Access by IP address

Only allow inbound SSH access from specific IP addresses (e.g., your home, office, or trusted remote locations). This significantly reduces the risk of unauthorized login attempts.

Use Cloud Providers With External Firewall Features

Choose a VPS provider that offers built-in firewall configuration options at the account or project level.

Disable root-level SSH access to ensure only limited, authorized accounts can initiate remote sessions.

The nodectl utility will automatically configure basic SSH restrictions, including disabling root login and enabling IP-based access control. However, you must manually obtain and configure your IP address during the firewall setup process to complete this protection.

Protect SSH Keys With Strong Passphrases

Always secure your private keys with strong, unique passphrases.

Use a custom port to obscure your SSH connection

🌍 Determining Your Public IP Address

When defining firewall rules to restrict access to your VPS, you’ll need to specify your current public IPv4 address.

Steps:

Open your web browser.
Look for the section labeled "My Public IPv4:"
Record this IP address. This is the address you’ll allow through your VPS firewall.

🔁 Repeat this process for each trusted location from which you plan to access your node (e.g., home, office, mobile hotspot).

📱 Accessing Your Node From Mobile Devices

If you plan to use mobile apps to connect to your VPS:

Be aware that mobile IP addresses often change and are part of large, dynamic subnet ranges.
For security, avoid allowing full open access unless absolutely necessary.
Alternatively, you can configure two firewall rule sets:
- Locked-down mode (only allows known IPs)
- Travel mode (temporarily opens access when you’re on the move)

Subnet-based access control from mobile networks is more advanced and outside the scope of this document. Only use this approach if you understand the implications.

By proactively applying these security best practices, you help safeguard your node from attacks and maintain your reliability as a participant in the Constellation Network.

PreviousUpload SSH Public Key NextHow to SSH into VPS

Last updated 22 days ago

Was this helpful?

Securing SSH Access

Validator Node Operator Security with SSH

Securing Your Validator Node in an Open Internet Environment

In traditional, centralized server infrastructures, critical systems that require direct internet access are protected by layered security controls.

This security model often includes:

Firewalls
Intrusion Detection and Prevention Systems (IDS/IPS)
Email spam filters
Endpoint protection
Credential management systems

These measures are in place to prevent unauthorized access, data breaches, or misuse of system resources.

🚨 Why Node Operators Must Be Extra Cautious

This makes your system a high-value target for attackers. Once compromised, malicious actors can:

Steal your wallet credentials
Hijack your node resources
Use your system as a pivot point to exploit other services

To prevent this, you must manually enforce best-practice security configurations.

🛡️ Security Measures You Must Implement

Restrict SSH Access by IP address

Only allow inbound SSH access from specific IP addresses (e.g., your home, office, or trusted remote locations). This significantly reduces the risk of unauthorized login attempts.

Use Cloud Providers With External Firewall Features

Choose a VPS provider that offers built-in firewall configuration options at the account or project level.

Disable root-level SSH access to ensure only limited, authorized accounts can initiate remote sessions.

Protect SSH Keys With Strong Passphrases

Always secure your private keys with strong, unique passphrases.

Use a custom port to obscure your SSH connection

Since our only way to connect to the VPS (unless we are advanced experts) is through the Internet, it's important to take precautions. To prevent malicious actors from "sniffing" the default TCP port used for SSH connections, we should .

🌍 Determining Your Public IP Address

When defining firewall rules to restrict access to your VPS, you’ll need to specify your current public IPv4 address.

Steps:

Open your web browser.
Navigate to:
Look for the section labeled "My Public IPv4:"
Record this IP address. This is the address you’ll allow through your VPS firewall.

🔁 Repeat this process for each trusted location from which you plan to access your node (e.g., home, office, mobile hotspot).

📱 Accessing Your Node From Mobile Devices

If you plan to use mobile apps to connect to your VPS:

Be aware that mobile IP addresses often change and are part of large, dynamic subnet ranges.
For security, avoid allowing full open access unless absolutely necessary.
Alternatively, you can configure two firewall rule sets:
- Locked-down mode (only allows known IPs)
- Travel mode (temporarily opens access when you’re on the move)

Subnet-based access control from mobile networks is more advanced and outside the scope of this document. Only use this approach if you understand the implications.

By proactively applying these security best practices, you help safeguard your node from attacks and maintain your reliability as a participant in the Constellation Network.

PreviousUpload SSH Public Key NextHow to SSH into VPS

Last updated 22 days ago

Was this helpful?

Securing Your Validator Node in an Open Internet Environment

This security model often includes:

🚨 Why Node Operators Must Be Extra Cautious

🛡️ Security Measures You Must Implement

Restrict SSH Access by IP address

Use Cloud Providers With External Firewall Features

Disable Root Login for SSH

Protect SSH Keys With Strong Passphrases

Use a custom port to obscure your SSH connection

🌍 Determining Your Public IP Address

📱 Accessing Your Node From Mobile Devices

Securing Your Validator Node in an Open Internet Environment

This security model often includes:

🚨 Why Node Operators Must Be Extra Cautious

🛡️ Security Measures You Must Implement

Restrict SSH Access by IP address

Use Cloud Providers With External Firewall Features

Disable Root Login for SSH

Protect SSH Keys With Strong Passphrases

Use a custom port to obscure your SSH connection

🌍 Determining Your Public IP Address

📱 Accessing Your Node From Mobile Devices