| General System Security | Operating system patched as necessary. Updated to the most recent stable version of the kernel. Operating the node in an x86_64 environment is recommended. |
| General System Security | The operating system has auto-updates configured. There are tools available for automatic upgrades, such as auter, yum-cron, dnf-automatic, and unattended-upgrades. |
| General System Security | Security framework is activated and in effect. Enabled: SELinux, AppArmor, Tomoyo, and Grsecurity. |
| General System Security | No insecure and unnecessary services Installed. (e.g. telnet, rsh, inetd, etc ...) |
| General System Security | The boot loader password for GRUB is set. Grub2 is set up with a password. password |
| General System Security | In the core system, only root permissions.files |
| File Directory Security | Secure the directory "/.humansd" so that only the owner can access it. |
| Binary Configuration | The following configurations in config.toml are advised for optimal speed and security: - For a sentry nodes: max_num_inbound_peers = 500, max_num_outbound_peers = 50, flush_throttle_timeout = "300ms" - For a validator node: max_num_inbound_peers = 100, max_num_outbound_peers = 10, flush_throttle_timeout = "100ms" |
| Account Security & Remote Access | The password guidelines are mandatory: Blank passwords are prohibited, as are weak passwords. |
| Account Security & Remote Access | The following SSH setups are active: PermitRootLogin: no; PasswordAuthentication no; ChallengeResponseAuthentication no; UsePAM yes; AllowUsers Necessary user only; AllowGroups Necessary group only. |
| Networking | Test the network throughput with speedtest. It is advised to have a minimum upload and download speed of 5 Mbps. |
| Networking | To secure all the associated nodes, a host-based (like iptables) or cloud-based (like AWS Security Group) firewall is activated. Only a limited set of IP addresses, not the entire internet, should have access to remote management ports (such SSH - TCP 22). There shouldn't be any excessively permissive rules established, such as a broad range of acceptable ports (1-65535). Specific source and destination addresses should be defined for internal communication channels between nodes. If at all possible, make TCP 26656 the only incoming port for nodes that can be reached over the internet. |
| Networking | Installed and in force is an intrusion detection and prevention system (such as Fail2Ban, Snort, and OSSEC). |
| Networking | Establish firewall rules to prevent direct internet access to the validator node and safeguard it with a sentry node design. |
| Networking | The Remote Procedure Call (RPC) offers private procedures and data that shouldn't be made available online. RPC is enabled by default and restricts connections to 127.0.0.1 exclusively. If you need to enable RPC from other IP addresses, please exercise extreme caution. |
| Redundancy | The setup of the hot standby node is identical to that of the primary node. |
| Redundancy | To notify owners of anomalies, the system is configured for monitoring and alerting. |
| Key Management | Replace the static key file by setting up Tendermint KMS with an HSM or comparable online service. |
| DDOS | Set up the validator using the sentry architecture. Please refer to the setup instruction and full description for more information. |