Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Hardening your Skywire Node + Enhancements
#1
hardening your skynode

disclaimer: this is my personal experience with the official skywire software to increase security and ease the maintenance part, i do not take any responsibility if this locks you out of your system or any other unexpected behaviour you may encounter. also this is a W.I.P. and other useful stuff to manage updates from the master node to al slave nodes etc (system and sky related) will get added in a later stage.

1. introduction

i started my adventure with the base image provided by the skycoin team, i did not choose the set of 8 preconfigured images as i wanted to understand the whole setup / structure of the skywire software in combination with the offical "miner".

also these are pretty raw steps and only intended for average 'experienced' linux users and don't include things like port-forwarding as these things are described many times already in other guides.

2. first steps

flash your sd cards with the base image.

hook up a monitor so you can login on the local terminal.

configure them with a static ip from the root login. (all nodes must have a unique ip *duh*)
 - vi /etc/network/interfaces
 - vi /etc/resolv.conf
 - /etc/init.d/network-manager restart

for easy access later on we gonna change the hostname of each node to a unique name

 - hostnamectl set-hostname skynode01 (2nd node skynode02, etc etc)

test them by pinging google or something similair.

to be sure reboot, login and ping again to be sure the network part works after reboot.

2. hardening the system

now the network part is live we can hardening the node so the root user is not exposed for malicious intents.

for this part i changed the root user passwd and created 2 extra users (a (ssh) user where i manage the node and a service account that runs the skywire software)

- change the passwd for the root user (use 'passwd' from the cmdline)

- create a personal user for ssh login and management, add him to sudo group 
- - adduser *username* (follow steps in wizard, use same on all nodes)
- - usermod -aG sudo *username* !! important to add the user to sudo group so we can do admin stuff.

- create a 'service' account for running skywire software (its not a real service account because we need the use his homedir for .skywire key storage)
- - adduser skywire (follow steps in wizard, use same on all nodes)

both the accounts get a user dir in /home

adding some extra security to the mix but only on the *username*, not the skywire one.

this is done so later on you cannot access the /home/*username* folder from the terminal part in the skywire gui
- chmod 750 /home/*username*

ps. another method would to use 'setfacl' but not gonna describe that here as it would lots of confussion if you never heard about or used it.

3. some testing before continuing our journey

after you done all above steps its time for some testing and adding some extra 'ease of access' stuff.

- startup your nodes

- login to the node #1 by ssh (this we will use as our management node so steps are only needed on node #1 the manager)

for ease of access we gonna add all nodes in the /etc/host file so we can access them by name and not ip

- vi /etc/hosts

- add you 8 nodes after the last line like the example below, the ip's should match with those you configured in step 2.


Code:
192.168.0.2  skynode01
192.168.0.3  skynode02
192.168.0.4  skynode03
192.168.0.5  skynode04
192.168.0.6  skynode05
192.168.0.7  skynode06
192.168.0.8  skynode07
192.168.0.9  skynode08



- ping your nodes with the hostname (ping skynode02) and see if you get a reply, if not you done something wrong and you should start troubleshooting.

next step is trying out the user we created for the management part (all steps should be done from the management user)
- sudo *username*

you should get a prompt for the user so now we go try if we can access those other nodes on ssh
- ssh skynode02  -> ssh skynode08

if you get a passwd prompt and you can login you are ready for the step

creating ssh key for passwordless login to you nodes
- ssh-keygen -t rsa

follow steps asked from ssh-keygen and we gonna copy them to nodes 02 to 08 (password should get asked when trying to copy)
- ssh-copy-id skynode02 -> ssh-copy-id skynode08

now its time to test if we can login into those nodes without passwd
- ssh skynode02 -> logout with 'exit' -> try next until 'ssh skynode08'

if everything works as it should be and we can login to all nodes with the user we created its time to hardening ssh by disabling the root ssh login

- sudo vi /etc/ssh/sshd_config
- change PermitRootLogin to no
- save the config (esc, wq!)
- repeat steps on all nodes

what we have now is a system that is only accessible through ssh with the management user we created.

if you want to elevate to the root user you can use from the management user
- sudo -i


4. adding automatic startup scripts for the skywire-manager & skywire-node

next step is we gonna use some systemd scripts for our skywire software so it can be managed with simple cmd's for stop, start, restart and system start stuff.

first we gonna create the manager script, this is only needed on node #1

- sudo vi /etc/systemd/system/skywire-manager.service

add following script in it as described below

Code:
[Unit]
Description=skywire manager daemon
After=network.target syslog.target

[Service]
# see man systemd.service
Type=simple
ExecStart=/usr/local/skywire/go/bin/manager -web-dir /usr/local/skywire/go/src/github.com/skycoin/skywire/static/skywire-manager

[Install]
WantedBy=multi-user.target

next we gonna add the systemd script for for the skywire node

- sudo vi /etc/systemd/system/skywire-node.service
- dont forget to change the ip's in manager-address & manager-web to match your config

Code:
[Unit]
Description=skywire node daemon
After=network.target syslog.target

[Service]
# see man systemd.service
Type=simple
User=skywire
WorkingDirectory=/usr/local/skywire/go/bin
ExecStart=/usr/local/skywire/go/bin/node -connect-manager -manager-address 192.168.x.x:5998 -manager-web 192.168.x.x:8000 -discovery-address discovery.skycoin.net:5999-034b1cd4ebad163e457fb805b3ba43779958bba49f2c5e1e8b062482904bacdb68 -address :5000 -web-port :6001

[Install]
WantedBy=multi-user.target

time to reload systemd so our scripts are ready for use (always use this if you change something in those scripts)

- sudo systemctl daemon-reload

time to test if they axtually work

- systemctl start skywire-manager (node #1 only)
- systemctl start skywire-node (repeat steps on all nodes)


try login to your manager to see if all nodes can talk to the manager, if not please check your steps if you mssed something.
you can always check if the software is running locally with looks like netstat (ex; netstat -plnt).


if everything works and you can see all your nodes in the manager good job, you now have a hardened system running with skywire running under a minimal user without any admin rights.

now its time to let the software start after a cold start or reboot.

we can do this with
- systemctl enable skywire-manager (node #1 only)
- systemctl enable skywire-node (repeat steps on all nodes).


5. other usefull usefull stuff i used in my journey

backing up your skywire keys

if you want to backup your keys from the management user you would need access to the .skywire dir.
to make it ready so this can be automated without sudo involved we need to add our management user to the .skywire dir in /home/skywire

we can do this with setfacl (do this on all your nodes)
- setfacl -R -m u:managementuser:rwX /home/skywire/.skywire/

now we can backup the keys without using sudo
- cp -R /home/skywire/.skywire /dir/you/want/your/backups

if we want to backup the keys from a remote node to our management node (this is done on your management node)
- scp -r skynode02:/home/skywire/.skywire/ ~/backups/skynode02

updating your skywire software

Code:
sudo -i
systemctl stop skywire-manager
systemctl stop skywire-node
cd $GOPATH/src/github.com/skycoin/skywire
git reset --hard
git clean -f -d
git pull origin master
cd $GOPATH/src/github.com/skycoin/skywire/cmd
go install ./...
systemctl start skywire-node
systemctl start skywire-manager
exit

run into error when updating your skywire software? (error: bad signature , fatal: index file corrupt)
Code:
cd $GOPATH/src/github.com/skycoin/
rm -rf skywire
git clone https://github.com/skycoin/skywire.git
cd $GOPATH/src/github.com/skycoin/skywire
git reset --hard
git clean -f -d
git pull origin master
cd $GOPATH/src/github.com/skycoin/skywire/cmd
go install ./...

F.A.Q.
.skywire dirs
- ss = socks server
- sc = socks client
- node = node app

thats it for now, will probably add later some scripts so you can do everything from node #1 (updating, backup, reboots, monitoring etc etc.)

cheers
skywalker aka @betmoar
[-] The following 3 users say Thank You to skywalker for this post:
  • I Am You, nikogabs, samej
Reply
#2
Automated update and maintenance are so important. It greatly helps non tech savvy users
Would be great if you can make this enhancement process automated too

Playing with command line all day is not funny
I'm so poor... Skycoin donations appreciated Big Grin : 87j64iSia8FccQdV2bXySPtrvjgHJsoeWw



Reply
#3
(05-24-2018, 05:57 PM)yo_mama Wrote: Automated update and maintenance are so important. It greatly helps non tech savvy users
Would be great if you can make this enhancement process automated too

Playing with command line all day is not funny

i don't recommend a fully automated system for updates, always better to test updates first on a dev system to see if nothing breaks.

but if you still want to go for automatic system updates you can configure unattended-upgrades

https://wiki.debian.org/UnattendedUpgrades

some scripts for maintenance i will add later on, scripting repeated tasks makes the cmdline a little bit more fun and less error prone  Wink
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)