GitHub
NodesGetting StartedHardening Nodes

Node Network Security

This guide provides a technical implementation for a Sentry Node architecture. The primary objective is to isolate a validator node from the public internet to enhance security and mitigate direct attacks, such as DDoS. The validator node communicates exclusively with a set of trusted Sentry Nodes, which act as its relays to the broader peer-to-peer network.

This guide uses Lighthouse as the example client, which defaults to p2p port 9000, and ufw (Uncomplicated Firewall) for network rule management.

Architecture Overview

The setup consists of two distinct components:

Validator Node (VAL0): This machine runs the validator client and a beacon node. It is completely isolated from the public internet and does not accept connections from or initiate connections to untrusted peers.

Sentry Nodes (SEN1, SEN2, SEN3): These are standard beacon nodes exposed to the public internet. They find peers and sync the blockchain as normal. The validator node (VAL0) will connect only to these trusted sentry nodes.

image

Sentry Node Configuration

The Sentry Nodes are configured to be accessible on the public network to discover and connect with other Ethereum peers, while maintaining a restrictive firewall.

Apply the following ufw rules to each Sentry Node (SEN1, SEN2, SEN3):

# 1. Deny all incoming traffic by default.
sudo ufw default deny incoming
 
# 2. Allow all outgoing traffic, which is required for P2P communication.
sudo ufw default allow outgoing
 
# 3. Allow and rate-limit SSH connections. (Change '22' to your custom SSH port if applicable).
sudo ufw limit 22/tcp
 
# 4. Allow incoming connections on the Lighthouse P2P port.
sudo ufw allow 9000
 
# 5. Enable the firewall rules.
sudo ufw enable

Once the firewall is configured, install and run the Lighthouse beacon node on each sentry as per the official documentation. These nodes will connect to the mainnet using public bootnodes.

Validator Node Configuration

The Validator Node is configured for maximum isolation. It will deny all traffic by default, only permitting connections to and from the local private network where the Sentry Nodes reside.

This configuration assumes all nodes (VAL0, SEN1, SEN2, SEN3) are on the same private network (e.g., a cloud VPC or a physical LAN using private IP ranges like 10.0.0.0/8 or 192.168.0.0/16).

Apply the following ufw rules to the Validator Node (VAL0):

# 1. Deny all incoming and outgoing traffic by default for maximum isolation.
sudo ufw default deny incoming
sudo ufw default deny outgoing
 
# 2. Allow and rate-limit SSH connections.
sudo ufw limit 22/tcp
 
# 3. Allow INCOMING connections FROM the private subnets ON the Lighthouse P2P port.
# This allows the Sentry Nodes to talk to the Validator Node.
sudo ufw allow from 10.0.0.0/8 to any port 9000
sudo ufw allow from 192.168.0.0/16 to any port 9000
 
# 4. Allow OUTGOING connections TO the private subnets.
# This allows the Validator Node to talk to the Sentry Nodes.
sudo ufw allow out to 10.0.0.0/8
sudo ufw allow out to 192.168.0.0/16
 
# 5. Enable the firewall rules.
sudo ufw enable

Discovery and Static Peering

The final step is to configure the Validator Node (VAL0) to connect exclusively to the Sentry Nodes. Since VAL0 cannot access the public internet, it cannot use public bootnodes and must be given the addresses of the sentries.

Obtain Sentry Node Addresses

First, you must retrieve the Ethereum Node Record (ENR) or multiaddress for each of your running Sentry Nodes. This can typically be found in the startup logs of the sentry's beacon node or by querying its API.

# Example: Query a Sentry Node's identity API to get its ENR and multiaddresses
curl http://<sentry_node_ip>:5052/eth/v1/node/identity

Configure Validator Peering

Use the retrieved ENRs or multiaddresses to configure the VAL0 beacon node startup command. This forces it to only peer with your trusted sentries.

  • Option 1: Using --boot-nodes (Recommended) Pass a comma-separated list of the Sentry Nodes' ENRs.

    lighthouse bn --network mainnet --datadir /data/consensus \
  --boot-nodes "enr:-LK4QHP9pudQUPud4VfLoRHBytpK1dE_mQYa-BCVJGsR4jHDO1uzmfkrXGTmovAn9RukI52icX3s0fHfhT-Fsinr1B8Dh2F0dG5ldHOIAAAAAAAAAACEZXRoMpD2d10HAAABE___________gmlkgnY0gmlwhFzIHRCJc2VjcDI1NmsxoQKfVWe8YoASdFmIlVxo4Lh6je6jGW-tXOJWTh-6ZuW4ooN0Y3CCIyiDdWRwgiMo,enr:..."

  • Option 2: Using --libp2p-addresses Alternatively, pass a comma-separated list of the Sentry Nodes' multiaddresses.

    lighthouse bn --network mainnet --datadir /data/consensus \
  --libp2p-addresses "/ip4/10.0.3.84/tcp/9000/p2p/16Uiu2HAsDfeLV6FLXhh1D5MeTSxADCPfBCHRh4VrhcHzeSpxGQRF,/ip4/..."

With this configuration, your validator is now shielded from the public internet, significantly improving its security.

Previous

Hardening Operating System

Next

Guides

On this page