Guide: How to Set Up a World Mobile Earth Node

Introduction

This How to Set Up a World Mobile Earth Node guide provides complete, step-by-step instructions to implement a secure Earth Node using the currently recommended software version. You’ll learn both initial setup and ongoing maintenance procedures.

← Our official guide is available here.

Prerequisites

Operating an Earth Node on the World Mobile Chain requires specific skills and commitments. Below are the essential skills and commitments required:

Operational Requirements

  • Node Management: Knowledge to set up, run, and maintain an Earth Node continuously.
  • Commitment to Availability: Ensure your node operates 24/7/365.

Technical Skills

1. System Operation

  • JSON: Understand JSON for configurations and APIs. What is JSON?
  • Systemd Services: Manage services reliably. Guide
  • Cron Jobs: Schedule recurring tasks. Setup guide

2. Server Administration

Deploy, configure, and maintain secure servers.

3. Networking Basics

Understand configurations, firewalls, and secure connections. Learn more

4. Server Hardening

Secure servers against vulnerabilities and follow best practices for cybersecurity.

Minimum Earth Node Hardware Requirements - TBC

  • One server
  • One air-gapped offline machine
  • Operating System: Linux
  • CPU & RAM: 2 cores, 4GB RAM, capable of running Docker + Linux
  • Storage: 100GB free storage
  • Earth Node NFT: Required in your wallet

Recommended Earth Node Hardware Requirements - TBC

  • One server
  • One air-gapped offline machine
  • Operating System: Linux
  • CPU & RAM: 2 cores, 4GB RAM, capable of running Docker + Linux
  • Storage: 100GB free storage
  • Earth Node NFT: Required in your wallet

Prerequisites

  • Ubuntu installed
  • Tailscale installed on your current machine.
  • Setup 2FA with your identity provider (e.g., Yubikey or OTP for Google / Apple / GitHub).
  • Install Tailscale on your machine: Follow this guide.
  • Configure Tailscale settings:
    • Enable User Approval to require new users to be approved by admins before they can access the network.
    • Enable Device Approval to require admins to approve new devices before they can access the network.
    • Enable Auto-update Tailscale to automatically update new devices to the latest version.

What is Tailscale?

Tailscale is a lightweight, easy-to-use VPN solution that builds a secure, private network using WireGuard. It simplifies connectivity by allowing devices to communicate securely without complex configurations or additional hardware. Learn more here.

Placeholders

Throughout this guide, placeholders such as EN123, and server.public.ip.address are used. Replace these with:

  • EN123: A unique and descriptive name for your server (e.g., earthnode01).
  • server.public.ip.address: The public IP address of your server (e.g., 123.456.111.222).

1: Ubuntu

It’s best practice to log in to your server using a non-root account to prevent accidental file deletions. Avoid routinely using the root account; instead, use su or sudo when elevated privileges are needed.

1.1 SSH to Your Server

Initial connection to set up the system:

ssh [email protected]
# Example:
ssh [email protected]

1.2 Create a New User

Create a new user called eno that we’ll use for all future access:

sudo useradd -m -s /bin/bash eno
sudo passwd eno
sudo usermod -aG sudo eno

1.3 Deactivate the Root Account

Disable root login for security:

sudo passwd -l root

1.4 Set the Hostname

Name your host (replace EN123 with a descriptive name for your server):

//Step 1: Reset /etc/hostname
sudo nano /etc/hostname
EN123
//Replace the content with your desired hostname: EN123
//Save and exit (Ctrl + O, Enter, then Ctrl + X).

//Step 2: Reset /etc/hosts
sudo nano /etc/hosts

127.0.0.1    localhost
127.0.1.1    192.168.1.100    EN123  -- update this value
//Save and exit (Ctrl + O, Enter, then Ctrl + X).

//Step 3: Apply the Changes now. Running hostnamectl after manual edits isn't strictly necessary, but it applies the changes immediately.
sudo hostnamectl set-hostname EN123 --static --pretty --transient

//Step 4: Test the Configuration
ping EN123

1.5 Update the System

Ensure all packages are up to date:

sudo apt-get update -y && sudo apt-get upgrade -y
sudo apt-get autoremove
sudo apt-get autoclean

1.6 Install and Configure unattended-upgrades

Set up automatic security updates:

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

// say yes when prompted

Configure automatic updates & disable auto reboot:

sudo tee /etc/apt/apt.conf.d/50unattended-upgrades << EOF
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::SyslogEnable "true";
EOF

Enable the service:

sudo systemctl enable unattended-upgrades
sudo systemctl start unattended-upgrades

2: Tailscale

Tailscale is a lightweight, private VPN that simplifies securing your server.

2.1 Install Tailscale

curl -fsSL https://tailscale.com/install.sh | sh
sudo systemctl enable --now tailscaled

2.2 Start and Authenticate Tailscale

sudo tailscale up --ssh

//Follow the steps on screen
To authenticate, visit: Link provided in terminal
To approve your machine, visit (as admin): Link provided in terminal

3: SSH

Configure SSH with hardened settings:

cat << 'EOF' > sshd_config

# Core security
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes

# User restrictions
AllowUsers eno
PermitUserEnvironment no
PermitUserRC no
X11Forwarding no
PermitTTY yes
StrictModes yes
EOF


sudo mv sshd_config /etc/ssh/sshd_config
sudo systemctl restart sshd

4: Firewall

4.1 Reset Firewall Rules

Reset to a clean slate (skip if you need to keep existing rules):

sudo ufw reset

4.2 Set Default Rules

Configure UFW to only allow Tailscale traffic:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow in on tailscale0
sudo ufw enable

5: Test SSH

5.1 Test Tailscale SSH

Open a new terminal and connect using Tailscale:

ssh eno@EN123

5.2 Test Original SSH Method

Verify that direct SSH access is blocked:

ssh username@ip

The connection should time out, indicating the firewall is correctly configured.

6: System

6.1 System Control Settings

Create an optimized system performance and security settings:

sudo bash -c 'cat > /etc/sysctl.conf <<EOF
### NETWORK SECURITY ###

# IPv4 Settings
## TCP/IP SYN flood protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2

## Protection against spoofing attacks
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

## Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

## Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

## Ignore ICMP broadcasts (mitigate smurf attacks)
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

## Log martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

## TCP hardening
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_max_tw_buckets = 2000000
net.ipv4.tcp_fin_timeout = 20
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15

### IPv6 SECURITY ###

## Disable IPv6 if not needed (comment out if IPv6 is required)
# net.ipv6.conf.all.disable_ipv6 = 1
# net.ipv6.conf.default.disable_ipv6 = 1
# net.ipv6.conf.lo.disable_ipv6 = 1

## IPv6 security settings (if IPv6 is enabled)
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

### KERNEL SECURITY ###

## Memory protection
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
kernel.perf_event_paranoid = 3
kernel.yama.ptrace_scope = 2
vm.mmap_min_addr = 65536
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16

## Core dumps
kernel.core_uses_pid = 1
fs.suid_dumpable = 0

## Address space layout randomization
kernel.randomize_va_space = 2

## File system hardening
fs.protected_fifos = 2
fs.protected_regular = 2
fs.protected_symlinks = 1
fs.protected_hardlinks = 1

## System panic settings (kernel should reboot after 60 seconds on panic)
kernel.panic = 60
kernel.panic_on_oops = 60

### SYSTEM PERFORMANCE ###

## Virtual memory settings
vm.swappiness = 10
vm.dirty_ratio = 30
vm.dirty_background_ratio = 10

## File system settings
fs.file-max = 65535
fs.inotify.max_user_watches = 524288

EOF'
# Apply sysctl settings
sudo sysctl -p

6.2 Configure Swap Memory

Create and configure a 2GB swap file:

# Create and initialize swap file
sudo dd if=/dev/zero of=/swapfile bs=1M count=2048 status=progress
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile

# Make swap permanent
sudo tee -a /etc/fstab << EOF
/swapfile none swap sw 0 0
EOF


# Verify swap is active
sudo swapon --show

6.3 Secure Shared Memory

Add secure shared memory configuration:

# Backup fstab
sudo cp /etc/fstab /etc/fstab.backup

# Add secure shared memory configuration
sudo tee -a /etc/fstab << EOF
tmpfs   /run/shm    tmpfs   ro,noexec,nosuid    0 0
EOF

7: Time Sync

Why is Time Synchronization Important?

Accurate timekeeping ensures proper logging, avoids certificate and authentication issues, and maintains system consistency. Chrony offers faster, more reliable synchronization than traditional NTP, even in unstable network environments.

7.1 Install Chrony

sudo apt update
sudo apt install -y chrony

7.2 Configure Chrony

sudo bash -c 'cat > /etc/chrony/chrony.conf <<EOF
# Pool of NTP servers
pool time.google.com       iburst minpoll 4 maxpoll 8 maxdelay 0.3 maxsources 3
pool time.cloudflare.com   iburst minpoll 4 maxpoll 8 maxdelay 0.3 maxsources 3
pool ntp.ubuntu.com        iburst minpoll 4 maxpoll 8 maxdelay 0.3 maxsources 3

# Authentication key file
keyfile /etc/chrony/chrony.keys

# Drift file for storing clock frequency variations
driftfile /var/lib/chrony/chrony.drift

# Log directory
logdir /var/log/chrony

# Rate limiting - prevent DDoS/abuse
ratelimit interval 3 burst 8

# Prevent large clock adjustments that could affect system stability
maxupdateskew 100.0

# Enable kernel RTC synchronization
rtcsync

# Step clock if offset is larger than 1 second for first 3 updates
makestep 1.0 3

# Serve time even if not synchronized
local stratum 10

EOF'

7.3 Enable and Verify Chrony

# Restart and enable service
sudo systemctl restart chrony.service
sudo systemctl enable chrony.service

# Verify synchronization
chronyc tracking
chronyc sources -v

8: Jason Web Token (JWT)

What is a JWT?

8.1 How to safely generate a JWT for your Earth Node

8.2 How to store your JWT

3 Likes

Common issues and solutions

Frequently Asked Questions