Full node on Linux Ubuntu Server or just stay on windows?

Hi there good folks, NVME burners.

I was a full windows person until 2 days ago I decided to jump into headless ubuntu server cli and started plotting using swar plotting manager there, so far there has been lots to learn and while there were problems that required me to reinstall ubuntu and changed my graphic card cable from vga to hdmi, all other things were very interesting to learn.

One very interesting give up moment is when I tried to copy and paste my public keys from nano to Swar’s config.yaml only to find out that there’s no global clipboard built in onto ubuntu server, so I found this program called xclip, but I haven’t been able to use it, then I gave up and just use a mac terminal to copy and paste the keys via ssh…

i-can-amp-039-t-be-the-only-one_o_1428837

Now, my full node is on a windows machine currently, and as I mentioned on the title, I’m planning to move the full node to an Ubuntu server, mostly because it seemed more “stable” than windows, at least that’s what I experienced when plotting on it, the windows plotter restarts randomly but the same machine using ubuntu server just ran flawlessly for a few days.

Now, as moving a full node from windows to ubuntu server is a pretty huge leap at least for me, so far what I’ve learned is only how to move the /db and /wallet/db main *.sqlite files (the big ones) - hopefully these are correct things to do as well because I haven’t tested it yet

My current concern is security, as I know that using linux is only as strong as the hardening done to it.

If you’re interested in the network topology I’m planning to do it’s here

Or if you’d rather just see the network topology image without clicking the forum post, please see here

Now, I’ve found some good advice on reddit regarding on what to do, but one of this raise concerns of their own.

Some fun things to lean and keep you safe…

+++Implement passworldless login and disable root login. +++

+++Change your user name to something obscure like ILoveTo3atB4con (while not being the most secure it makes you feel cool) +++

+++use Fail2ban set it up to perma ban after 1 try, you are using password less login right++++

+++ set up Mac and IP filtering(low priority)+++

+++Use port filtering on your router+++

++++++setup Vlans++++ please do this if your router supports it please I beg you put any computer that is open and forward facing the internet on a vlan that is not on a computer that you use daily ++++

I think I know how to do the first 2 since I’ve had experiences setting up RSA keys accessing a cloud VPS before.

I might be able to search on how to use Fail2ban, MAC and IP Filtering.

Port filtering I’m not very sure since my ISP tend to make it hard for me to edit router settings.

Using VLAN :
Now other than the fact that I have never knew about VLAN before I read the good person’s comment, I’m also not sure whether I can still use the same network topology on my full node if I do.

  1. Does using VLAN involve changing settings on my router?
  2. Can I copy my plots over from my plotters on an offline network to the full node on VLAN? Will it be super slower since I’m using a 1GbE interface?
  3. Should I just put all the plotters on VLAN as well?
  4. Is there anything else that I can do to maybe increase the security hardening for my full node without having to do a technical backflip?

On another note.

  1. My internal IP is 10.233.10.xxx using 255.255.255.0 as netmask worked in windows but when I installed ubuntu server it won’t let me use 255.255.255.0/24 and I had to use DHCP for it, hopefully I can resolve the issue with the 2 lan cards
  2. If the Ubuntu server machine has got 2 internal IP address, which one do I ssh into with my new cool username?

If anyone’s still interested, these are my current to do list on my linux journey, not in order of importance.

Please do let me know if anything below is something wrong to do :

  • Setup fdisk for auto mounting on start
  • Setup fdisk for auto mounting network drives, use either smb (samba) or NFS
  • learn linux file sharing with samba or NFS
  • learn automatic rsync to detect plot files and copy over network then delete the source file
  • learn to set static IP on linux and find the netmask for both ethernet cards
  • learn to run whole full node on ubuntu server
  • secure way to send ca folder to linux machine
  • learn to use cron tab / job to do fstrim more frequently on the plotters
  • how to start all the process necessary if full node restarts for any reason

Thanks in advance, advanced people.

2 Likes
  1. Does using VLAN involve changing settings on my router?

Yes. And many (most?) “normal” routers (the ones you find in residential installations) do not support VLANs.

While I agree that implementing VLANs might improve your security, it definitely does not do it by itself. You will also need some kind of filtering (firewalling) between the VLANs you configure. If all this is new to you, I would suggest leaving VLANs for later, and focusing on hardening your Linux servers (all that fail2ban, key-based login, and so on).

  1. Can I copy my plots over from my plotters on an offline network to the full node on VLAN? Will it be super slower since I’m using a 1GbE interface?

Most of the time, VLANs will not introduce a performance penalty. But again, your router (and, depending on the topology, probably your switches as well) need to support VLANs. Unlikely, given your comment about your ISP :slight_smile:

  1. Should I just put all the plotters on VLAN as well?

Yes.

  1. Is there anything else that I can do to maybe increase the security hardening for my full node without having to do a technical backflip?

Filtering between VLANs.

  1. My internal IP is 10.233.10.xxx using 255.255.255.0 as netmask worked in windows but when I installed ubuntu server it won’t let me use 255.255.255.0/24 and I had to use DHCP for it, hopefully I can resolve the issue with the 2 lan cards

Define “it won’t let me use”. How exactly were you trying to configure it? Also, there is no such thing as 255.255.255.0/24 ( “255.255.255.0” and “/24” are different notations for the same thing - the subnet mask ). So probably you needed to input something like 10.233.10.xxx/24 ?

  1. If the Ubuntu server machine has got 2 internal IP address, which one do I ssh into with my new cool username?

By default, the SSH server will bind to all interfaces - so you can SSH into either one.

Please do let me know if anything below is something wrong to do :

  • Setup fdisk for auto mounting on start
    You mean fstab :slight_smile:

  • Setup fdisk for auto mounting network drives, use either smb (samba) or NFS

Again, fstab .

  • learn linux file sharing with samba or NFS
    Definitely worth it, just make sure you start with the client part (at least in the beginning, your Linux machine will just be a client for these protocols - and the client part is easier)

  • learn automatic rsync to detect plot files and copy over network then delete the source file
    Something that will help you not just with Chia, but in many, many other cases :slight_smile:

  • secure way to send ca folder to linux machine
    SCP/SFTP

  • how to start all the process necessary if full node restarts for any reason
    systemd unit?

4 Likes