| General System Security |
Operating system is properly patched. The kernel is updated to the latest stable version. The node must run in x86_64 environment |
| General System Security |
Automatic updates of the operating system are configured. Toolkits exist for automatic upgrades (e.g. auter, yum-cron, dnf-automatic, unattended-upgrades) |
| General System Security |
Enables and enforces the security framework. SELinux / AppArmor / Tomoyo / Grsecurity enabled. |
| General System Security |
No unsafe and unnecessary services installed. (e.g. telnet, rsh, inetd, etc... |
| General System Security |
GRUB boot loader password configured. Grub2 configuration password |
| General system security |
Root access to core system files only |
| File directory security |
Make sure the directory "~/.stcd" is only accessible to the owner |
| Binary Configuration |
The following settings in config.toml are recommended for performance and security - for sentry nodes: max_num_inbound_peers = 500, max_num_outbound_peers = 50, flush_throttle_timeout = "300ms" - for validator nodes : max_num_inbound_peers = 100 , max_num_outbound_peers = 10, flush_throttle_timeout = "100ms" |
| Account Security and Remote Access |
The following password policies are enforced: no blank passwords; weak passwords are not allowed |
| Account Security and Remote Access |
Enable the following SSH configurations: PermitRootLogin: no; PasswordAuthentication no; ChallengeResponseAuthentication no; Use PAM yes; AllowUsers only necessary users; AllowGroups only necessary groups. |
| Networking |
Use speedtest for network throughput testing. A minimum upload speed of 5 Mbps and a download speed of at least 5 Mbps is recommended) |
| Networking |
Enable host-based (such as iptables) or cloud-based (such as AWS Security Groups) firewalls to protect all relevant nodes. Remote management ports (eg SSH - TCP 22) should only be exposed to selected IPs and not the Internet. Overly permissive rules should not be set (for example, a broad port range of 1-65535 is allowed). For internal communication channels between nodes, they should be set with specific source and destination addresses. For Internet reachable nodes, set TCP 26656 as the only incoming port if possible. |
| Networking |
Installing and implementing an intrusion detection/prevention system (e.g. Fail2Ban, Snort, OSSEC) |
| Networking |
Set up a sentinel architecture to protect validators and firewall rules to limit direct internet access to them. |
| Networking |
Remote Procedure Calls (RPC) provide sensitive operations and information that should not be exposed on the Internet. By default, RPC is turned on and only connections from 127.0.0.1 are allowed. Be extra careful if you need to allow RPCs from other IP addresses. |
| Redundancy |
The hot standby node sets the same configuration as the primary node |
| Redundancy |
Set up system monitoring and alerts to alert owners of anomalies |