Below are general guidelines for reducing attack vectors over network:

• Ensure unattended upgrades are enabled

• Block all ports except required ones

  • Setup firewall via ufw or iptables

  • Optionally for cloud host, block ports via security group instead

• SSH Port should be open to trusted IP addresses only

• SSH login with password should be disabled, authenticate with a ed25519 key instead

  • For extra security, use a yubikey with ed25519-sk resident key

The exact steps are out of scope of this guide, please refer to other online sources or consult the community discord. Below are some good 3rd party guides for reference:

• UFW usage

• Generate ed25519 SSH Key

• Deploy SSH key to server

• SSH Hardening

The physical security of the host should be reviewed as well.

For validators, we encourage the use tmkms for improved signing security