Staking with Windows VPS on AWS
Quick guide to secure staking using Amazon Web Services
This guide will show you how to launch your own virtual Windows computer via Amazon Web Services (AWS). The Windows server has the same graphical interface as a common household Windows PC which makes it suitable for an average consumer while offering significantly greater security.
We are setting up for the Mainnet version. Testnet will require port 13333 to be used instead of 3338.
If you don't already have an account you can create one.
2. After signing up finally sign in to your AWS account:
3. To enable MFA (Multi-factor authentication) click on your username at the top right and then click 'My Security Credentials' in the dropdown menu and click on 'Activate MFA':
From here you will have the option to select from a virtual MFA device or a U2F security key or other hardware MFA device. We will be using the Virtual MFA device such that can be used on a mobile Authenticator app:
4. Upon clicking continue, a new screen will appear where you can click to reveal your QR code to scan with your Authenticator app on Android or IOS. You will then need to open up your Authenticator app and scan the code and add the AWS account to your profile. There will be two consecutive codes needed to be entered in order to fully synchronize.
5. After synchronization is successful you will now be fully set up to log in with Multi factor authentication. The next time you sign in, it will be required that you use your Authenticator app to enter the code. This will help further secure your staking server.
6. Head to the management console:
Notice the Region area next to support in the top right of the page. Here you can set your region depending on where you would like your Staker to reside. Select a region and keep note for the future.
6. Now head to the management console in 'Services' and click on 'Launch a virtual machine with EC2':
There will be several options for different servers depending on your needs. For now we will set up Microsoft Windows Server 2019 Base with containers:
The hardware resources current absolute minimum is 2CPUs/4GB RAM (t2.medium), as it should suffice as long as network load doesn't reach close to capacity.
The recommended specs are 2CPUs/8GB RAM (t2.large).
In our example below we will be using a machine with 16GB RAM and 4 CPUS.
7. Click below 'Review and launch' to continue. Here you can review your choices. We will be changing some settings in 'Security groups' to allow for port 3338 and a custom port for remote desktop (optional). Setting a custom port for remote desktop will require changing the registry in windows but we will show you how to do this later. For now we will keep the default RDP port OPEN, and add three more ports TCP 3338, UDP 123, and TCP 9833.
8. Click 'Edit security groups' and click 'Add Rule' three times to add three more rules. For custom TCP ports select Type 'Custom TCP ' and for custom UDP rules select Type 'Custom UDP ' and Under port range add:
- Your custom RDP port (in our case 9833)
- The port which the node will be connecting with peers (3338 for mainnet)
- Port UDP 123 which allows your computer to sync its time with an external Network Time Protocol (NTP server).
Having a properly synced clock is important as otherwise, peer nodes might ban you.
For all ports under 'Source' select 'Anywhere' for now. This can later be changed to only allow connections from a selected IP such as your home IP address.Then click 'Add Rule' then 'Review and launch' to complete:
It is highly recommended for your RDP port (9833 with our current example) to be bound to your home IP address. This way you will ensure that no one else would be able to connect to your server even if they have your password.
9. You can review your settings once more and then click 'Launch'. There will be a new window that will ask you to create a key pair or choose an existing one. Create a new key pair, give it a name and then download the key pair to a secure location.
10. Your instance will now start launching which will take a few minutes. Click on 'View Instances' to see your instance.
11. Your instance will display 'Initializing' under 'status check'. Pressing the refresh button next to 'Connect' will refresh the status. Once the status displays 'checks passed' we will be able to connect to our server.
12. Right click on the instance and click 'Connect'. This will load up the 'Connect to instance', then click 'RDP client'. From here we will can download the RDP client file but if you are changing the default port copy and paste the 'Public DNS' somewhere safe.
13. Now click on 'Get password' and browse to the .pem file that was previously downloaded. This will enable for the decryption of your password. Click on 'Decrypt Password' and it will reveal the instance password that you can use to login with RDP. Write it down somewhere safe.
We are now ready to log in to our instance using Remote Desktop. A few registry changes will be required if you have chosen to use a custom RDP port. The firewall will also need to be opened for a few ports as well as temporarily disabling of the Windows Server IE Enhanced Security so that we can download the proper files to start the HYDRA staking node.
14. Press the windows key and type 'RDP' to bring up the windows Remote desktop application.
If you understand the security risks you can enable sharing of clipboard. For example you may want to copy and paste your private key in order to import it. You can temporarily enable the clipboard feature by clicking 'Show Options' and then 'Local Resources' and selecting the 'Clipboard' box under 'Local devices and resources'. Please see Below if you plan to temporarily enable sharing of a local directory.
15. Click 'Show Options' and in the 'Computer' area, paste in your server address. The User Name should be 'Administrator'. If we are using a different RDP port we will later modify the address to include ":9883" at the end of the address. After entering your information proceed to click 'Connect'. Another dialog will pop up requesting your password. Enter the password that was provided by AWS earlier. It is recommended to store this password on a piece of paper.
Use on-screen keyboard on a computer that is not compromised to enter the password
15. Accept the windows certificate by clicking 'Yes'. Congratulations, we are now logged into our server. After a few moments of personalization and initial setup we will be prompted by 'Networks' dialog asking if we want to allow our PC to be discoverable by other computers. Select 'No'.
Congrats we're halfway there!
16. We're now going to prepare our server installation for our node by opening required ports TCP 3338, our custom port TCP 9833 if you are using remote desktop.We will also add UDP port 123 for the Time Sync. Press the windows key and type 'Firewall' and click 'Windows defender firewall'. (Remember we are doing this on the server not on our client computer) Once the firewall opens select 'Advanced Settings'.
On the next window we will the click 'Inbound Rules' and then 'New Rule'.
17. Click 'Port' and then click 'Next'. We will be doing this for ports TCP 3338, port UDP 123 and TCP 9833 (or whichever custom port you have optionally chosen for RDP). You should disable the RDP port after setup through the amazon security interface and only re-enabling when you need to login to the server again. This will greatly increase security as there will only be only few open ports directly to the staking wallet.
18. Select 'TCP' and then in 'Specific local ports' enter '3338'. This will be the port that our node is using to connect to other peers. Click 'Next'. Do the same selecting UDP port 123 for the time server As well as TCP port 9833 for our custom RDP port.
19. Finally click next with 'Domain', 'Private', and 'public' networks selected.
20. Give the rule a name and click finish. Repeat this process again if you have opted to use a custom port for Remote desktop TCP 9833 as well as for our NTP port UDP 123.
The resulting firewall rules should look like this: (You can use a different port than 9833 for remote desktop just be sure it is set the same port everywhere). The corresponding ports should be opened in both windows firewall and the Amazon firewall. When we need to connect by remote desktop to our server we will use the specified RDP port.
21. We are now going to set the custom port for Remote desktop. Make sure you are doing this on the server and not the client computer. Click the windows key and type 'regedit' and click 'Registry Editor'. Navigate to the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. Click on RDP-Tcp, on the right side scroll down until you see 'PortNumber' and double click it. Then select 'Decimal' and change the number from 3389 to whichever port you want to use as an alternative. Having your own custom port means that your server will be more difficult to be scanned by hackers that usually try the default known ports. In this example, we will set the port to 9833. Click 'OK' to save it.
You will need to restart the instance for the new port to be activated.
22. Let's now test to see if our settings were correct and restart our server and try to log in again. If we set everything correctly we should be able to log in using our new port number 9833.
23. Click the servers windows button and then power and click restart.
24. To test our new RDP port we will need to connect using it with our servers address followed by
Enter the address and username (default is Administrator) and click connect. If all went well you will be prompted for your password. Enter it and we will finish preparing the server for staking with HYDRA.
Section 25 and 26 can be skipped if you understand the security risks of sharing your local system directory. You can opt to download the HYDRA wallet to your local computer and share the Directory to the VPS in remote desktop connection (See instructions below).
In order to browse to the repository to install our wallet software we must temporarily disable the Enhanced security function that comes setup by default with windows server.
25. Press the windows key and type 'server manager' and click 'Server Manager'. Click 'Local Server' and find in the right pane where it says 'IE Enhanced Security Configuration' and click where it says 'On'. This will bring up another window where you can select the off option for both users and administrators. It is advised to come back here and set it to 'On' when we have completed the installation of the HYDRA wallet.
26. We are finally now ready to install the HYDRA wallet so that we can begin staking. Open Internet Explorer and navigate to https://github.com/Hydra-Chain/node/releases You can copy and paste the link into the RDP session. If you prefer you can install a different browser to make things easier in the future. Select the Windows installer for 64 bit and download and run the file to install.
Congratulations! The wallet is now ready to be set up. You can now import your wallet.dat if you have one or create a new one to hold funds in. Please see the wallet usage section for more information on using the wallet for staking.
27. To finalize we need to log back into AWS to disable the original RDP port 3389 and after the wallet is set up for staking we can even close our custom port 9833 and open it as needed for added security. Alternatively, you can bind port 9833 to be accessed only via your home static IP Address.
In our case, we will close it entirely as the staking node will either way be accessed rarely. Let's log back into amazon web services. If we have logged out we will be prompted for the MFA code that we have generated so will need to use the Authenticator app that we've chosen to copy the temporary code from.
28. Navigate to EC2:
29. Now find your instance. Remember to be sure you're in the right locale. Click on your instance:
30. Now right click on the instance ID and choose 'Security' and then 'Security groups' below it:
31. Select 'Edit inbound rules'
32. Finally press delete for all the rules except HYDRA mainnet port 3338 and NTP port 123. If you prefer you can keep the port open for RDP and allow only connections from your own IP. Please take note of all your information such as port numbers, addresses, passwords, wallets and encryption keys.
You can now safely log off from the remote desktop session and when you need to you can come back to AWS and re-open the RDP port when you require access.
This is a highly recommended step as it protects your windows server from attacks that arise from an RDP password leak and/or brute force attacks.
Using DUO (owned by CICSO) you can add an additional layer to enhance the security of your Remote Desktop session. They offer an app that runs on IOS and Android devices which allows you to verify login attempts prior to even reaching the windows login. They offer many added benefits such as blocking out repeated login attempts as well as alerts and many more great features. Here is a great guide to get it up and running: https://duo.com/docs/rdp .
DUO is highly recommended because it ensures that even if your access password to your windows server is compromised, there will be an additional layer of security that will prevent the hacker from gaining access. In a theoretical Amazon security leak, the hacker will still need to overcome DUO in order to gain access to your server.
Additionally, the instant push notification of DUO also comes as a natural notification in case someone tries to connect to your server. It will immediately be alerted on your mobile and the attacker IP will be displayed.
NB! It is very important to configure DUO during installation to "fail close" setting. This will ensure that in no circumstance will the 2fa be bypassed. The default "Fail open" means that if there's no internet connectivity between your server and the DUO server, the 2fa will be bypassed.
The above setup offers the highest level of security. However if you understand the risks you can simplify the steps by setting your local computer directory to be shared upon connection to RDP. This way your local computer's hard drive will show up as a network drive on the Amazon instance. Then you can simply copy the encrypted wallet.dat and wallet installation files over from it. Afterwards you can return and disable sharing when all files have been copied.
- 1.In the windows search bar type 'Remote Desktop' and click on 'Remote Desktop Connection'.
- 2.Click 'Show options'
- 3.Click 'Local Resources'
- 4.Under 'Local devices and resources' click 'more'
- 5.Under 'Drives' check the box next to the drive you wish to share and click ok
- 6.After ensuring your connection settings are correct click connect
- 7.Your local drive should now show up in the Amazon system and you can access it by navigating to 'This Pc' the drive will be listed under 'Redirected drives and folders'. From here you can navigate to your wallet.dat and previously downloaded wallet installer and copy it onto the Amazon instance.
- It is recommended not to access your staking node without a reason. You can use the public explorer.hydrachain.org to monitor the activity of your staking wallet. If your balance is not changing and you don't see any mined blocks, you can connect to check on the wallet. If on the other hand, everything works smoothly, you can leave the node to do its job without interfering with it.
- Windows Server will occasionally need to deploy automatic system security updates. It will need to have firewall ports 80 and 443 opened to do so. We recommend you to perform weekly or monthly maintenance on the staking node where you do a controlled port opening and system updating (and a system restart if necessary). This will ensure your server is up-to-date and that your wallet is working smoothly.