How to Stake on FreeBSD
FreeBSD is a very powerful operating system, it has a great history of reliability, security and stability. Here we show how it can be used to stake Hydra in a secure way.
FreeBSD jails are a very powerful feature, in summary, your jail instance is more protected as it's like having a separate OS just for Hydra with reduced privileges.
Important: Make sure to install and enable NTP, it's necesary to stay synchronized to network clocks.
Install FreeBSD as normal, however, the following hardening settings are recommended during install:
Create a user with permissions "operator wheel"
Please remember to do all these commands as root
security.jail.allow_raw_sockets=1security.jail.chflags_allowed=1firewall_enable="YES"firewall_quiet="YES"firewall_type="workstation"firewall_myservices="22 3888"firewall_allowservices="any"firewall_logdeny="YES"jail_enable="YES"Notice that we've added some settings for firewall, these will enable IPFW and basic settings to secure our Jail, allowing only ports 22(ssh) and 3888(Hydra) to be accessed.
kern.racct.enable=1jail_enable="YES"zfs create -o mountpoint=/jail zroot/jail(Change zroot for whatever name you chose for your zfs pool)
zfs create -o mountpoint=/jail/hydra zroot/jail/hydracd /jail/hydra/ && fetch -o - http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/11.2-RELEASE/base.txz | tar --unlink -xpJf - -C /jail/hydraTyping ls /jail/hydra/ should show the filesystem of our Hydra FreeBSD Jail
Now, let's create the jail configuration file:
hydra {host.hostname = hydra.local;ip4.addr = 192.168.0.99;interface = em0;path = /jail/hydra;exec.start = "/bin/sh /etc/rc";exec.stop = "/bin/sh /etc/rc.shutdown";exec.clean;mount.devfs;allow.raw_sockets;allow.sysvipc;}Ok now it's time to launch our jail!
service jail start hydrajexec hydra /bin/cshcp /usr/share/zoneinfo/YOURTIMEZONE/ /etc/localtime This is very important, if the time info is incorrect, we'll produce orphan blocks or will be unable to syncCreate our basic /etc/rc.conf for our Hydra Jail
syslogd_flags="-s -s"sshd_enable=YESclear_tmp_enable=YESclear_tmp_X=YESextra_netfs_types=NFSdumpdev=NOupdate_motd=NOkeyrate=fast sendmail_enable=NONEsendmail_submit_enable=NOsendmail_outbound_enable=NOsendmail_msp_queue_enable=NOecho "nameserver 8.8.8.8" >> /etc/resolv.confecho "nameserver 8.8.4.4" >> /etc/resolv.confNow that we've got our jail up and running, we need to install Hydra. There's 2 options on doing this, we can use the pkg repository or the powerful FreeBSD ports which are usually updated faster:
pkg update -f pkg install -y hydraportsnap fetch extract cd /usr/ports/net-p2p/hydra && make install cleanThe above will ask for a lot of configuration options, it might be better to use make config-recursive to set all options before compiling. If you want to use default settings just type
cd /usr/ports/net-p2p/hydra && make install clean BATCH="YES"Launching Hydra is just like in any other *NIX operating system, however there's a minor difference here due to how FreeBSD jails work. First, we need to create a hydra.conf file with the following contents:
This config is necessary, otherwise calling the daemon will return errors.
Then we can launch with
hydrad -daemon- Set up firewall on host (you cannot setup a firewall inside a jail) and enable only the ports you need (22 and 3338) This is done in the host rc.conf at the top of this tutorial
- Disable history, this will completely disable console history and it's a way to help secure your staking box, type the following on your FreeBSD console:
unset history; unset savehist - Secure SSH:
- 1.Disable password authentication
- If using the FreeBSD box on your home network, force it to listen on local network only.