Secure Your SmartCash SmartNode VPS on Ubuntu 16.04 with a Mac Wallet v1.0

Mac 10.13.2 (Local Wallet)
Ubuntu 16.04 LTS x64 (VPS smartnode)
Date 29/1/2018
By @controllinghand
Donation to my Smartcash: SebFkuHrqDnj3obXvMtfxtQKRgFeVpXF5x

Introduction

This guide assumes that you have already configured your SmartNode using the following guide

https://steemit.com/smartcash/@controllinghand/smartcash-smartnode-setup-guide-v1-4-mac-version-with-smartnode-checks-and-anti-ddos-optional-bootstrap

https://forum.smartcash.cc/t/smartcash-smartnode-setup-guide-v2-1-mac-version-quick-setup/3022

This section will guide you through disabling ssh access for root and creating a smartadmin user that will have access via ssh with the keys controlled on your MAC.

Section 1: Add the smartadmin user

1. ssh into your VSP
   Once you have logged back in let us create a new user (I used “smartadmin”) with the command
   adduser smartadmin
   
2. Enter the details for a password and keep it safe.
3. You can enter the optional information but it is not necessary so you can just skip it by pressing enter.
4. Type Y for the questions “Is this information correct” and press enter.
   
5. Give the smartadmin the ability to elevate the user privileges when needed by adding the user to the sudo group with the command
   gpasswd -a smartadmin sudo
   

Section 2: install the firewall and set it up

1. Let us install the firewall with
   apt-get install ufw
   
2. Open up the correct ports for the SmartNode to function later.
   ufw allow ssh/tcp
ufw limit ssh/tcp
ufw allow 9678/tcp
ufw logging on
ufw enable
   
3. Check the status of the firewall with
   ufw status
   
4. reboot
   reboot

Section 3: Setup ssh on local MAC and send keys to VPS server

1. Let us create the ssh key on the local MAC
   (!) WARNING if you are doing multiple smartnodes you can skip this step, if you already performed this for your 1st smartnode. Do not overwrite your .ssh/id_rsa. (!)
   ssh-keygen -t rsa -b 2048
   It will offer to save the file in the default location:
   /Users/youname/.ssh
   Press Enter to Accept Defaults.
   Create a Passphrase.
   Enter the Passphrase Again.
   Remember this Passphrase as you will need it to log in to all your ssh hosts going forward.
   
2. Secure copy the pub key to the VPS server
   First make a directory for the .ssh keys on the VPS server.
   ssh smartadmin@VPS-IP 'mkdir ~/.ssh'
3. Now copy the keys over from the MAC to the VPS
   scp ~/.ssh/id_rsa.pub smartadmin@VSP-IP:~/.ssh/authorized_keys
   now set the permission correct on the authorized_keys
   ssh smartadmin@VSP-IP 'chmod 600 ~/.ssh/authorized_keys'
   
4. Now to disable root access for ssh
   ssh into your VSP
   ssh root@VSP-IP
   edit the sshd config file
   pico /etc/ssh/sshd_config
   Scroll down the file till you see PermitRootLogin yes and change it to no
   
   Scroll down to PasswordAuthentication and make sure it has no character in front and says no (check screenshot)
   
   Now press CTRL + x to close.
   “Save modified buffer?” will appear at the bottom.
   Press Y to save.
   Hit Enter to confirm the filename to save as.
   Now it is time to restart the ssh service, so the changes become active.
   systemctl reload sshd

reboot
5. Validate root doesn't have access and login in with smartadmin user
   ssh root@VSP-IP
   You should get Permission denied (publickey)

Note: when it asks for your Enter passphrase for key it is not the root password or smartadmin password, it is the passphrase you used to create the ssh key

Now login with smartadmin
ssh smartadmin@VSP-IP

Important note

To issue commands like smartcash-cli getinfo you need to inherit root's environment. So...
you would type sudo -i smartcash-cli getinfo
Basically any command you want to run as root type sudo -i <command>

This completes the guide to make your SmartNode more secure