Security
Chapter 31: Node Security Fundamentals
Section titled “Chapter 31: Node Security Fundamentals”Overview
Section titled “Overview”Securing blockchain nodes is critical to protect your infrastructure and prevent unauthorized access.
31.1 Security Principles
Section titled “31.1 Security Principles”┌─────────────────────────────────────────────────────────────────┐│ NODE SECURITY LAYERS │├─────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────┐ ││ │ 1. NETWORK SECURITY │ ││ │ - Firewall rules │ ││ │ - VPN/VPC isolation │ ││ │ - Port restrictions │ ││ └─────────────────────────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────┐ ││ │ 2. ACCESS CONTROL │ ││ │ - Authentication │ ││ │ - Authorization │ ││ │ - Rate limiting │ ││ └─────────────────────────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────┐ ││ │ 3. DATA SECURITY │ ││ │ - Encryption at rest │ ││ │ - TLS/SSL │ ││ │ - Key management │ ││ └─────────────────────────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────┐ ││ │ 4. SYSTEM HARDENING │ ││ │ - Run as non-root │ ││ │ - Regular updates │ ││ │ - Monitoring/alerting │ ││ └─────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────┘31.2 Network Security
Section titled “31.2 Network Security”Firewall Configuration
Section titled “Firewall Configuration”# Allow only necessary portssudo ufw default deny incomingsudo ufw default allow outgoing
# Allow SSHsudo ufw allow 22/tcp
# Allow P2Psudo ufw allow 30303/tcp
# Allow RPC only from specific IPsudo ufw allow from YOUR_IP to any port 8545
# Enable firewallsudo ufw enableBind RPC to Localhost
Section titled “Bind RPC to Localhost”# DON'T do this (exposes to public):geth --http --http.addr 0.0.0.0
# DO this (only local access):geth --http --http.addr 127.0.0.131.3 Key Management
Section titled “31.3 Key Management”Secure Key Storage
Section titled “Secure Key Storage”| Method | Security | Use Case |
|---|---|---|
| Hardware Wallet | Highest | Validators |
| Keystore File | Medium | Development |
| Mnemonic | Medium | Backup |
| Private Key | Low | Never use |
Best Practices
Section titled “Best Practices”- Never store private keys on RPC nodes
- Use hardware wallets for validators
- Keep backups in secure locations
- Never share private keys
31.4 TLS Configuration
Section titled “31.4 TLS Configuration”Enable TLS for RPC
Section titled “Enable TLS for RPC”# Generate certificatesopenssl req -x509 -newkey rsa:4096 \ -keyout key.pem -out cert.pem \ -days 365 -nodes
# Use with Nginx proxy31.5 Rate Limiting
Section titled “31.5 Rate Limiting”Why Rate Limit?
Section titled “Why Rate Limit?”- Prevent DDoS attacks
- Protect node resources
- Ensure fair usage
Nginx Rate Limiting
Section titled “Nginx Rate Limiting”http { limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/s;
server { location / { limit_req zone=api_limit burst=200; } }}31.6 System Hardening
Section titled “31.6 System Hardening”Run as Non-Root
Section titled “Run as Non-Root”# Create dedicated usersudo useradd -r -s /sbin/nologin ethereum
# Set ownershipsudo chown -R ethereum:ethereum /data/ethereumSystemd Service
Section titled “Systemd Service”[Service]User=ethereumGroup=ethereumNoNewPrivileges=truePrivateTmp=trueProtectSystem=strictProtectHome=trueReadWritePaths=/data/ethereum31.7 Interview Questions
Section titled “31.7 Interview Questions”| Question | Answer |
|---|---|
| How to secure RPC endpoint? | Bind to localhost, use TLS, rate limiting |
| Why run as non-root? | Limit damage if compromised |
| What is key management? | Secure storage and handling of private keys |
Summary
Section titled “Summary”- Network security: firewall, restrict ports
- Access control: rate limiting, authentication
- Key management: never expose keys on RPC nodes
- System hardening: run as non-root, regular updates
Next Chapter
Section titled “Next Chapter”In Chapter 32: Key Management & Wallets, we’ll explore key management.
Last Updated: 2026-02-20