1.5 Security
We make sure that your MiniBolt is secured against unauthorized remote access.
The MiniBolt needs to be secured against online attacks using various methods.
Uncomplicated Firewall (enable & configure)
A firewall controls what kind of outside traffic your machine accepts and which applications can send data out. By default, many network ports are open and listening for incoming connections. Closing unnecessary ports can mitigate many potential system vulnerabilities.
For now, only SSH should be reachable from the outside. Bitcoin Core and LND are using Tor and don't need incoming ports. We'll open the port for Electrs and web applications later if needed.
Check IPv6 availability
With user
admin
, check your IPv6 availability
2 options:
If you obtain the
"OK."
output, you have IPv6 availability, additionally, you can obtain your IPv6 with:curl -s ipv6.icanhazip.com
you are OK, continue the guide without modificationsIf you obtain
ping6: connect: Network is unreachable
, you don't have IPv6 availability, don't worry, the IPv6 adoption is new, you will use your internet connection using the common IPv4, additionally, you can obtain your IPv4 with:curl -s ipv4.icanhazip.com
If you don't have IPv6 availability, you can disable IPv6 on UFW to avoid the creation of rules related to it:
Edit the UFW configuration
Change
IPV6=yes
toIPV6=no
. Save and exit
Deny incoming connections (we are going to allow incoming connections on demand)
Allow outgoing connections
Allow SSH incoming connection
Attention! Don't forget the next step!
Disable logging
Enable ufw, when the prompt shows you
"Command may disrupt existing ssh connections. Proceed with operation (y|n)?"
, press"y"
and enter
Expected output:
Check if the UFW is properly configured and active
If you find yourself locked out by mistake, you can connect a keyboard and screen to your PC to log in locally and fix these settings (especially for the SSH port 22). More: UFW Essentials
Monitoring SSH authentication logs (optional)
You can monitor authentication general logs in your system in real-time
Or filtering only by SSH authentication logs in the last 500 lines
With this command, you can show a listing of the last satisfactory logged-in users in your MiniBolt since 7 days ago. Change
-7days
option to whatever you want
In this way, you can detect a possible brute-force attack and take appropriate mitigation measures
Do this regularly to get security-related incidents
Install Nginx
Several components of this guide will expose a communication port, for example, the Block Explorer, or the ThunderHub web interface for your Lightning node. Even if you use these services only within your own home network, communication should always be encrypted. Otherwise, any device in the same network can listen to the exchanged data, including passwords.
We use Ngnix to encrypt the communication with SSL/TLS (Transport Layer Security). This setup is called a "reverse proxy": Nginx provides secure communication to the outside and routes the traffic back to the internal service without encryption.
Install Ngnix
Check the correct installation
Example of expected output:
Create a self-signed SSL/TLS certificate (valid for 10 years)
Example of expected output:
NGINX is also a full web server. To use it only as a reverse proxy, backup the default configuration
Create a new blank configuration file
Paste the following configuration into the
nginx.conf
file. Save and exit
Create the
streams-available
andstreams-enabled
directories for future configuration files
Remove the Nginx
site available
andsite enabled
default configuration files
Test this barebone Nginx configuration
Expected output:
Reload Nginx to apply the configuration
You can monitor the Nginx logs by entering this command. Exit with Ctrl + C
Expected output:
You can monitor Nginx error logs by entering this command. Exit with Ctrl + C
Last updated