Just installing a ILP connector is not enough, if you want to go pro we need some proper security too! As we are running a payment service, the PCI-DSS guidelines are a good fit here. Although getting the server PCI-DSS compliant might be a boring task, but wouldn’t you like to keep your funds safe?
The correct time
You node must have the right time for it to tell if an packet has expired or not. Running a NTP daemon on your server is a requirement , as payments and timestamps are a required partner in transactions. Make your you install and watch over NTP.
Don’t be stupid, and get hacked for some vulnerability that was fixed weeks again, but you never got around to install it. There are a few points, OS updates and Application updates both need to be updated. So just just ‘apt-get update && apt-get dist-upgrade -y’, but also check if there is a new version of the ILP connector, Moneyd-gui or PM2 out there.
For the people using automated updating and reboots: You know at some point you will break your server, don’t know why, what was done and spent a lot of time probably fixing it. Just grab a drink and manually type the updates and watch as the updates are installed.
When stuff breaks, you need to know. We’re still working on some scripts that allow peer monitoring, but a lot of monitoring guides are already out there. Our suggestion would to to install Icinga 2 on another host and have it monitor uptime, diskspace, cpu, ntp and memory load … and keep an eye out when we release monitoring plugins so you can monitor you funds, peers, and other important stuff as well.
Tip: Monitor the reachability of /version AND check for SSL errors (like expiry), so you will get a warning about 2/3 days before the SSL actually expires. If your SSL expires, chances are your service will not be used anymore and contract owners might move away as they think your service might be unreliable!
And another no-brainer, yet still a lot of people forget to install and configure a firewall. Its not that hard, for example if x.x.x.x is your trusted source IP where you connect from:
apt-get install -y ufw ufw default deny incoming ufw default allow outgoing ufw allow 80/tcp ufw allow 443/tcp ufw allow 3000:3999/tcp ufw allow from x.x.x.x ufw enable
Yeah, you are reading it correctly … having a antivirus program on your linux server is a good idea. It might detect and prevent malware from running and stealing your finds. This boring task can be completed with:
apt-get install -y clamav clamav-daemon
Testing PCI-DSS Compliance
Once you have done all the above, there are few online testing websites that can test your server. It cannot test all the items from PCI-DSS remotely, but its close enough and free to use:
Just open the URL and enter your domain name of the ILP connector and wait a few minutes. It should show a final grade of A+ and a compliance with at least PCI-DSS. If any of the tests fail it will show you why can you can fix it.
Just open the URL and enter your domain name of the ILP connector and wait a few minutes. Again you should also accept a A+ result (with a score of 105 points of the 100 needed) and have no recommended changes listed on the upper right. You will see an error that about not getting a ‘200 OK’ but that is actually good.
Just open the URL and enter your domain name of the ILP connector and wait a few minutes. It should only report open ports 80 and 443. If you see ports like 22 being open, you did a bad job with the firewalling. If you are visiting this site, try the ‘Network Scan OpenVAS’ as well to scan for vulnerabilities.