Guide: How to Set Up An Earth Node for World Mobile Chain

EarthNodes
1

The guide for setting up and operating a World Mobile Earth Node
The guide for setting up and operating a World Mobile Earth Node1496×615 12.5 KB

Introduction

This How to Set Up a World Mobile Earth Node guide provides complete, step-by-step instructions to implement a secure Earth Node using the currently recommended software version. You’ll learn both initial setup and ongoing maintenance procedures.

Explore the guide

← Our official guide is available here.

Prerequisites

Operating an Earth Node on the World Mobile Chain requires specific skills and commitments. Below are the essential skills and commitments required:

Operational Requirements

  • Node Management: Knowledge to set up, run, and maintain an Earth Node continuously.
  • Commitment to Availability: Ensure your node operates 24/7/365.

Technical Skills

1. System Operation

  • JSON: Understand JSON for configurations and APIs. What is JSON?
  • Systemd Services: Manage services reliably. Guide
  • Cron Jobs: Schedule recurring tasks. Setup guide

2. Server Administration

Deploy, configure, and maintain secure servers.

3. Networking Basics

Understand configurations, firewalls, and secure connections. Learn more

4. Server Hardening

Secure servers against vulnerabilities and follow best practices for cybersecurity.

Minimum Earth Node Hardware Requirements - TBC

  • One server
  • One air-gapped offline machine
  • Operating System: Linux
  • CPU & RAM: 2 cores, 4GB RAM, capable of running Docker + Linux
  • Storage: 100GB free storage
  • Earth Node NFT: Required in your wallet

Recommended Earth Node Hardware Requirements - TBC

  • One server
  • One air-gapped offline machine
  • Operating System: Linux
  • CPU & RAM: 2 cores, 4GB RAM, capable of running Docker + Linux
  • Storage: 100GB free storage
  • Earth Node NFT: Required in your wallet

Prerequisites

  • Ubuntu installed
  • Tailscale installed on your current machine.
  • Setup 2FA with your identity provider (e.g., Yubikey or OTP for Google / Apple / GitHub).
  • Install Tailscale on your machine: Follow this guide.
  • Configure Tailscale settings:
    • Enable User Approval to require new users to be approved by admins before they can access the network.
    • Enable Device Approval to require admins to approve new devices before they can access the network.
    • Enable Auto-update Tailscale to automatically update new devices to the latest version.

What is Tailscale?

Tailscale is a lightweight, easy-to-use VPN solution that builds a secure, private network using WireGuard. It simplifies connectivity by allowing devices to communicate securely without complex configurations or additional hardware. Learn more here.

Placeholders

Throughout this guide, placeholders such as EN123, and server.public.ip.address are used. Replace these with:

  • EN123: A unique and descriptive name for your server (e.g., earthnode01).
  • server.public.ip.address: The public IP address of your server (e.g., 123.456.111.222).

1: Ubuntu

It’s best practice to log in to your server using a non-root account to prevent accidental file deletions. Avoid routinely using the root account; instead, use su or sudo when elevated privileges are needed.

1.1 SSH to Your Server

Initial connection to set up the system:

ssh [email protected]
# Example:
ssh [email protected]

1.2 Create a New User

Create a new user called eno that we’ll use for all future access:

sudo useradd -m -s /bin/bash eno
sudo passwd eno
sudo usermod -aG sudo eno

1.2.1: Disable Shell Command History

To improve security, we will prevent command history from storing sensitive data.

# Apply system-wide settings
echo 'export HISTFILE=/dev/null' | sudo tee -a /etc/profile /etc/bash.bashrc
echo 'export HISTSIZE=0' | sudo tee -a /etc/profile /etc/bash.bashrc
echo 'export HISTFILESIZE=0' | sudo tee -a /etc/profile /etc/bash.bashrc
echo 'set +o history' | sudo tee -a /etc/profile /etc/bash.bashrc

# Clear history on logout for all users
echo 'history -c && history -w' | sudo tee -a /etc/bash.bash_logout

# Ensure all existing users' profiles are updated
for user in $(ls /home); do
  echo 'export HISTFILE=/dev/null' | sudo tee -a /home/$user/.bashrc /home/$user/.profile
  echo 'export HISTSIZE=0' | sudo tee -a /home/$user/.bashrc /home/$user/.profile
  echo 'export HISTFILESIZE=0' | sudo tee -a /home/$user/.bashrc /home/$user/.profile
  echo 'set +o history' | sudo tee -a /home/$user/.bashrc /home/$user/.profile
  echo 'history -c && history -w' | sudo tee -a /home/$user/.bash_logout
done 

# Clear any existing history for the current session
history -c && history -w

1.3 Deactivate the Root Account

Disable root login for security:

sudo passwd -l root

1.4 Set the Hostname

Name your host (replace EN123 with a descriptive name for your server):

# Step 1: Reset /etc/hostname
sudo nano /etc/hostname

# Replace the content with your desired hostname (e.g., EN123)
# Save and exit Nano: Press Ctrl + O, Enter, then Ctrl + X.


#Step 2: Reset /etc/hosts
sudo nano /etc/hosts

127.0.0.1    localhost
127.0.1.1     EN123  -- update this value
#Save and exit (Ctrl + O, Enter, then Ctrl + X).

#Step 3: Apply the Changes now. Running hostnamectl after manual edits isn't strictly necessary, but it applies the changes immediately.
sudo hostnamectl set-hostname EN123 --static --pretty --transient

#Step 4: Test the Configuration
hostname
hostnamectl
ping EN123

1.5 Update the System

Ensure all packages are up to date:

sudo apt-get update -y && sudo apt-get full-upgrade -y
sudo apt-get autoremove
sudo apt-get autoclean

1.6 Install and Configure unattended-upgrades

Set up automatic security updates without automatic reboots.

# Install `unattended-upgrades`
sudo apt-get install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades  # Say 'Yes' when prompted

# Configure Automatic Updates & Disable Auto Reboot
sudo tee /etc/apt/apt.conf.d/50unattended-upgrades << EOF
Unattended-Upgrade::Origins-Pattern {
    "o=Ubuntu,a=\$(lsb_release -sc)-security";  # Apply security updates
    "o=Ubuntu,a=\$(lsb_release -sc)-updates";   # Apply recommended updates
};
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::SyslogEnable "true";
Unattended-Upgrade::Verbose "true";  # Enable logging of updates
EOF

# Enable and Start the Service
sudo systemctl enable unattended-upgrades
sudo systemctl start unattended-upgrades

# Schedule a Weekly Full System Upgrade (No Reboots)
# Create the upgrade script
sudo tee /etc/cron.weekly/system-upgrade << 'EOF'
#!/bin/bash
apt-get update && apt-get dist-upgrade -y && apt-get autoremove -y && apt-get autoclean -y
echo "System upgrade completed. Please check if a reboot is required: sudo cat /var/run/reboot-required"
EOF

# Make the script executable
sudo chmod +x /etc/cron.weekly/system-upgrade

2: Tailscale

Tailscale is a lightweight, private VPN that simplifies securing your server.

2.1 Install Tailscale

curl -fsSL https://tailscale.com/install.sh | sh
sudo systemctl enable --now tailscaled

2.2 Start and Authenticate Tailscale

# Start and authenticate Tailscale
sudo tailscale up --ssh

# Follow the steps on screen:
# - To authenticate, visit the link provided in the terminal.
# - To approve your machine, visit the admin panel link (if required).

# Verify Tailscale is running
tailscale status 

# Fix DNS issues if "Tailscale failed to set the DNS configuration of your device" appears:
sudo chattr -i /etc/resolv.conf
sudo systemctl restart tailscaled
sudo chattr +i /etc/resolv.conf

# Verify Tailscale again
tailscale status

3: SSH

Configure SSH with hardened settings:

sudo tee /etc/ssh/sshd_config << EOF
# Core security
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
PermitEmptyPasswords no

# User restrictions
AllowUsers eno
PermitUserEnvironment no
PermitUserRC no
X11Forwarding no
PermitTTY yes
StrictModes yes
EOF

sudo systemctl restart sshd

4.1 Test Tailscale SSH

Open a new terminal and connect using Tailscale:

ssh eno@EN123

4.2 Set Default Firewall Rules

Configure UFW to only allow Tailscale traffic:

# Reset to a clean slate (skip if you need to keep existing rules):
sudo ufw reset

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow in on tailscale0
sudo ufw enable

4.4 Test Original SSH Method

Verify that direct SSH access is blocked:

ssh username@ip

The connection should time out, indicating the firewall is correctly configured.

6: System

6.1 System Control Settings

Create an optimized system performance and security settings:

sudo bash -c 'cat > /etc/sysctl.conf <<EOF
### NETWORK SECURITY ###

# IPv4 Settings
## TCP/IP SYN flood protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_synack_retries = 2

## Protection against spoofing attacks
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

## Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

## Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

## Ignore ICMP broadcasts (mitigate smurf attacks)
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

## Log martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

## TCP hardening
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_max_tw_buckets = 2000000
net.ipv4.tcp_fin_timeout = 20
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15

### IPv6 SECURITY ###

## Disable IPv6 if not needed (comment out if IPv6 is required)
# net.ipv6.conf.all.disable_ipv6 = 1
# net.ipv6.conf.default.disable_ipv6 = 1
# net.ipv6.conf.lo.disable_ipv6 = 1

## IPv6 security settings (if IPv6 is enabled)
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

### KERNEL SECURITY ###

## Memory protection
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
kernel.perf_event_paranoid = 3
kernel.yama.ptrace_scope = 2
vm.mmap_min_addr = 65536
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16

## Core dumps
kernel.core_uses_pid = 1
fs.suid_dumpable = 0

## Address space layout randomization
kernel.randomize_va_space = 2

## File system hardening
fs.protected_fifos = 2
fs.protected_regular = 2
fs.protected_symlinks = 1
fs.protected_hardlinks = 1

## System panic settings (kernel should reboot after 60 seconds on panic)
kernel.panic = 60
kernel.panic_on_oops = 60

### SYSTEM PERFORMANCE ###

## Virtual memory settings
vm.swappiness = 0  # Prevent system from recreating swap partitions on reboot
vm.dirty_ratio = 20
vm.dirty_background_ratio = 5

## File system settings
fs.file-max = 1048576
fs.inotify.max_user_watches = 1048576
EOF'

# Apply the new sysctl settings
sudo sysctl -p

6.1.1: Disable Core Dumps for Security

To prevent potential exposure of sensitive memory contents, core dumps will be disabled system-wide and for systemd services.

# Disable core dumps system-wide
echo "* hard core 0" | sudo tee -a /etc/security/limits.conf
echo "* soft core 0" | sudo tee -a /etc/security/limits.conf
echo "fs.suid_dumpable = 0" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

# Apply to systemd services
sudo mkdir -p /etc/systemd/system.conf.d
sudo tee /etc/systemd/system.conf.d/nocoredump.conf << EOF
[Manager]
DefaultLimitCORE=0
EOF
sudo systemctl daemon-reexec

6.2 Remove Swap Memory

To prevent sensitive data from being paged to disk, we disable swap permanently.

# Disable and remove all swap (both file and partition-based)
sudo swapoff -a
sudo rm -f /swapfile
sudo sed -i '/swap/d' /etc/fstab
sudo systemctl daemon-reexec

6.3 Secure Shared Memory

Add secure shared memory configuration:

# Backup fstab
sudo cp /etc/fstab /etc/fstab.backup

# Add secure shared memory configuration
sudo tee -a /etc/fstab << EOF
tmpfs   /run/shm    tmpfs   ro,noexec,nosuid    0 0
EOF

7: Time Sync

Why is Time Synchronization Important?

Accurate timekeeping ensures proper logging, avoids certificate and authentication issues, and maintains system consistency. Chrony offers faster, more reliable synchronization than traditional NTP, even in unstable network environments.

7.1 Install Chrony

sudo apt update
sudo apt install -y chrony

7.2 Configure Chrony

sudo bash -c 'cat > /etc/chrony/chrony.conf <<EOF
# Pool of NTP servers
pool time.google.com       iburst minpoll 4 maxpoll 8 maxdelay 0.3 maxsources 3
pool time.cloudflare.com   iburst minpoll 4 maxpoll 8 maxdelay 0.3 maxsources 3
pool ntp.ubuntu.com        iburst minpoll 4 maxpoll 8 maxdelay 0.3 maxsources 3

# Authentication key file
keyfile /etc/chrony/chrony.keys

# Drift file for storing clock frequency variations
driftfile /var/lib/chrony/chrony.drift

# Log directory
logdir /var/log/chrony

# Rate limiting - prevent DDoS/abuse
ratelimit interval 3 burst 8

# Prevent large clock adjustments that could affect system stability
maxupdateskew 100.0

# Enable kernel RTC synchronization
rtcsync

# Step clock if offset is larger than 1 second for first 3 updates
makestep 1.0 3

# Serve time even if not synchronized
local stratum 10

EOF'

7.3 Enable and Verify Chrony

# Restart and enable service
sudo systemctl restart chrony.service
sudo systemctl enable chrony.service

# Verify synchronization
chronyc tracking
chronyc sources -v

8: Jason Web Token (JWT)

What is a JWT?

8.1 How to safely generate a JWT for your Earth Node

8.2 How to store your JWT

3 Likes
3

Common issues and solutions

4

Frequently Asked Questions