What's new

HowTo setup masternode or staker wallet behind Tor

boldsuck

New Pivian
I run server as a hobby and English is not my native language. Improvements and help is welcome.
There are many ways to do everything on UNIX systems. This is one of them. Use at your own risk!
(This is a work in process. I will do the Tor setup again. Tor multiple instances vs. one Tor process and multiple pivxd mn.) Last Edit: 12.10.2020 - PIVX v4.3.0
1. We need a VPS or bare metal root server.
And one IPv4 or IPv6 per master node! In this example, 2 IPv4 and 2 IPv6 are dual stack. Adding more IP's & masternodes should be self-explanatory.
Examples are for Debian or debian derivatives. (Ubuntu, etc.)

2. Generate a strong SSH key with a passphrase. (On your machine at home):
~$ ssh-keygen -t rsa -b 4096 -o -a 100 # Very compatible.
~$ ssh-keygen -o -a 100 -t ed25519 # Recommended! Faster in authentication & very secure.

Let's go, login to your server and configure some basic security:
~$ ssh [email protected]

Change the root password after the first login!
~$ passwd

Create a user for every masternode: (Only one user needs SSH key login.)
(Replace '$USER' with your desired username in all example commands. I have used user and pivx in all of the examples.)
~$ adduser user
~$ adduser pivx

Open a second terminal on your machine at home and copy your public SSH key to the server:
~$ ssh-copy-id -p 22 [email protected]
user@home2ndterninal:~$ ssh-copy-id -p 22 [email protected]
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh -p '22' '[email protected]"
and check to make sure that only the key(s) you wanted were added.

user@home2ndterninal:~$ ssh -p '22' '[email protected]'
Enter passphrase for key '/home/user/.ssh/id_ed25519':
Linux localhost 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[email protected]:~$ exit
If the user login works with the SSH key then you can close the 2nd terminal.
~$ exit

To verify in the 1st terminal :
~$ grep "Accepted publickey for user" /var/log/auth.log

Every next time you log in, you will be asked for your SSH key passphrase:
No more password is sent over the network! You enter the password for your private SSH key that is on your laptop.
(Using the -p <port> option is not nessessary for default SSH port 22)
~$ ssh [email protected]
On your machine at home you can set up an alias for lazy SSH logins in .bashrc
Example: ( alias mn1='ssh [email protected]' )
Then you just have to type 'mn1' into the terminal to connect to the server ;-)
On a private computer which you trust 'SSH-AskPass' is your friend.
Switch to root:
(If sudo is set up later we can put 'sudo' before every command and no longer have to work as root)
Use 'su -' since Debian Buster! I've added an alias to user's .bashrc to avoid making mistakes. ( alias su='su -' )
~$ su -

Back in the 1st terminal change or add the following sshd default settings: (reminder replace 'user')
~$ nano /etc/ssh/sshd_config
save a file = [CTRL]+O
quit the editor = [CTRL]+X
Code:
# Authentication:
AllowUsers user
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
X11Forwarding no

~$ service sshd reload # Reload will not drop existing connections.


In case you want to change the hostname:
~$ hostname hostname.domain.tld
~$ nano /etc/hostname
~$ nano /etc/hosts

Most hosters have only one IPv4 preconfigured. Configure IPv6 and possibly other IPv4.
~$ cp /etc/network/interfaces /etc/network/interfaces.bak # save the current config first!
~$ nano /etc/network/interfaces
Code:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback
#iface lo inet6 loopback

# The primary network interface      Attention! Adjust interface name: enp2s0
allow-hotplug enp2s0
iface enp2s0 inet static
    address 203.0.113.11
    netmask 255.255.255.255
    gateway 203.0.113.1
        up   ip addr add 203.0.113.12/32 dev enp2s0 label enp2s0:0
        down ip addr del 203.0.113.12/32 dev enp2s0 label enp2s0:0
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 127.0.0.1 ns1-provider ns2-provider
        dns-search your-domain.tld

iface enp2s0 inet6 static
# If you're lucky, provider specifies IPv6 2001:db8:abc:a00/64 and gateway 2001:db8:abc:a00::1 or often gateway fe80::1. Than that's enough:
        #address 2001:db8:abc:a00::2
        #netmask 64
        #gateway 2001:db8:abc:a00::1  or  gateway fe80::1
        #up   ip -6 addr add 2001:db8:abc:a00::3/64 dev enp2s0
        #down ip -6 addr del 2001:db8:abc:a00::3/64 dev enp2s0
        #dns-nameservers ::1 ipv6-ns1-provider ipv6-ns2-provider

## But IPv6 and gateway are often in different subnets. For newbies, I think one of the most common pitfalls with IPv6:
## Provider specifies IPv6 2001:db8:abc:a09/64 and gateway 2001:db8:abc:a00::1 (Notice diff. subnets :a09 und :a00)
        address 2001:db8:abc:a09::2
        netmask 64
        up   ip -6 addr add 2001:db8:abc:a09::3/64 dev enp2s0
        post-up  ip -6 route add 2001:db8:abc:a00::1 dev enp2s0
        post-up  ip -6 route add default via 2001:db8:abc:a00::1
        pre-down ip -6 route del default via 2001:db8:abc:a00::1
        pre-down ip -6 route del 2001:db8:abc:a00::1 dev enp2s0
        down ip -6 addr del 2001:db8:abc:a09::3/64 dev enp2s0
        dns-nameservers ::1 ipv6-ns1-provider ipv6-ns2-provider

Update software:
~$ apt update && apt full-upgrade
We need these packages:
(apt has been https capable since Debian 10 (buster) & apt-transport-https is only a dummy.)
~$ apt install lsb-release gpg wget apt-transport-https

Add official Tor repository:
~$ echo "deb https://deb.torproject.org/torproject.org `lsb_release -cs` main" >> /etc/apt/sources.list
And add the repo key:
~$ wget -O - https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | apt-key add -

Reread software package lists:
~$ apt update
Install missing software:
~$ apt install deb.torproject.org-keyring tor nyx tor-geoipdb tor-instances unattended-upgrades apt-listchanges sudo fail2ban iptables-persistent unbound ntp

Add one '$USER' account to the sudo group:
~$ usermod -aG sudo user

Configure automatic updates:
cp /usr/share/unattended-upgrades/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades

Configure unbound validating, recursive, caching DNS resolver:
~$ mv /etc/resolv.conf.bak
~$ nano /etc/resolv.conf
If unbound is installed, we only need this one line:
nameserver 127.0.0.1

Configure firewall (Examples, adjust IPs and Ports):
~$ nano /etc/iptables/rules.v4
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

## Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0.
-A INPUT -i lo -j ACCEPT

## Allow incoming SSH, only on one IP:
-A INPUT -p tcp -d 203.0.113.11 --dport 22 -j ACCEPT

## Allow Tor-Bridge ORPort, ListenAddr:
#-A INPUT -p tcp -d 203.0.113.11 --dport 443 -j ACCEPT
#-A INPUT -p tcp -d 203.0.113.11 --dport 80 -j ACCEPT
## Allow pivxd-1:
-A INPUT -p tcp -d 203.0.113.11 --dport 51472 -j ACCEPT
## Allow pivxd-2:
-A INPUT -p tcp -d 203.0.113.12 --dport 51472 -j ACCEPT

## ratelimit ICMP echo, allow all others
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j DROP
-A INPUT -p icmp -j ACCEPT

## to log denied packets uncomment this line
#-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP

COMMIT

~$ nano /etc/iptables/rules.v6
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

## Allows all loopback (lo0) traffic and drop all traffic to ::1/128 that doesn't use lo0
-A INPUT -i lo -j ACCEPT

## Allow incoming SSH, only on one IP:
-A INPUT -p tcp -d 2001:db8:abc:a09::2 --dport 22 -j ACCEPT

## Allow Tor-Bridge ORPort, ListenAddr:
#-A INPUT -p tcp -d 2001:db8:abc:a09::2 --dport 443 -j ACCEPT
#-A INPUT -p tcp -d 2001:db8:abc:a09::2 --dport 80 -j ACCEPT
## Allow pivxd-1:
-A INPUT -p tcp -d 2001:db8:abc:a09::2 --dport 51472 -j ACCEPT
## Allow pivxd-2:
-A INPUT -p tcp -d 2001:db8:abc:a09::3 --dport 51472 -j ACCEPT

## ratelimit ICMP echo, allow all others
-A INPUT -p ipv6-icmp --icmpv6-type echo-request -m limit --limit 2/s -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type echo-request -j DROP
-A INPUT -p ipv6-icmp -j ACCEPT

## to log denied packets uncomment this line
#-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP

COMMIT

~$ chmod 600 /etc/iptables/rules.v4
~$ chmod 600 /etc/iptables/rules.v6
~$ iptables-restore < /etc/iptables/rules.v4
~$ ip6tables-restore < /etc/iptables/rules.v6

Adjust interface name: enp2s0. Reliable, or you must push the 'virtual' power button!
On VPS systems mostly eth0
~$ /etc/init.d/networking restart; ifup enp2s0
or
~$ reboot

Create 2 or more Tor instances:
~$ systemctl stop tor
installs a helper script on a Debian or Ubuntu system. On other distributions you have to do all of this by hand what this script does!
~$ tor-instance-create 00
~$ tor-instance-create 01
~$ ...
~$ systemctl enable tor@00
~$ systemctl enable tor@01
~$ ...
~$ systemctl mask tor@default

Configure Tor instances:
I list the config for 2 Tor instances here. So that the difference to the default settings can be seen. The 3rd to the nth instance should then be clear.
I have commented out some useful options that I use.
~$ nano /etc/tor/instances/00/torrc
Code:
# This is the tor configuration file for tor instance 00.
#
# To start/reload/etc this instance, run "systemctl start tor@00" (or reload, or..).
# This instance will run as user _tor-00; its data directory is /var/lib/tor-instances/00.

## ControlPort and authentication cookie for tor-arm, nyx, pivxd
## Start nyx: ~$ nyx -i 9051
## Hint: alias to user's .bashrc ( alias nyx00='nyx -i 9051' )
ControlPort 9051
#CookieAuthentication 1

## Tor opens a socks proxy on port 9050 by default -- even if you don't configure one below.
SocksPort 9050
## SocksPort flag: OnionTrafficOnly
## Tell the tor client to only connect to .onion addresses in response to SOCKS5 requests on this connection.
## This is equivalent to NoDNSRequest, NoIPv4Traffic, NoIPv6Traffic.
#SocksPort 9050 OnionTrafficOnly

## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
## all (and only) requests that reach a SocksPort. Untrusted users who
## can access your SocksPort may be able to learn about the connections
## you make.
SocksPolicy accept 127.0.0.1
SocksPolicy reject *

## Tor will reject application connections that use unsafe variants of the socks protocol
## -- ones that only provide an IP address, meaning the application is doing a DNS resolve first.
## Specifically, these are socks4 and socks5 when not doing remote DNS.
#SafeSocks 1

## Tor will make a notice-level log entry for each connection to the Socks port indicating
## whether the request used a safe socks protocol or an unsafe one (see above entry on SafeSocks).
## This helps to determine whether an application using Tor is possibly leaking DNS requests.
#TestSocks 1

## A list of preferred nodes to use for the first hop in the circuit, if possible.
#EntryNodes $fingerprint,$fingerprint,...
## A list of preferred nodes to use for the last hop in the circuit, if possible. (Hint: OnionTraffic don't exit Tor network)
#ExitNodes $fingerprint,$fingerprint,...
## A list of nodes to never use when building a circuit.
#ExcludeNodes Unnamed,default
## A list of nodes to never use when picking an exit. Nodes listed in ExcludeNodes are automatically in this list.
#ExcludeExitNodes $fingerprint,$fingerprint,..
#StrictNodes 1

#ClientUseIPv6 1
LongLivedPorts 51472
# Default: 21, 22, 706, 1863, 5050, 5190, 5222, 5223, 6523, 6667, 6697, 8300

~$ nano /etc/tor/instances/01/torrc
Code:
# This is the tor configuration file for tor instance 01.
#
# To start/reload/etc this instance, run "systemctl start tor@01" (or reload, or..).
# This instance will run as user _tor-01; its data directory is /var/lib/tor-instances/01.

## ControlPort and authentication cookie for tor-arm, nyx, pivxd
## Start nyx: ~$ nyx -i 9052
## Hint: alias to user's .bashrc ( alias nyx01='nyx -i 9052' )
ControlPort 9052
#CookieAuthentication 1

## Tor opens a socks proxy on port 9050 by default -- even if you don't configure one below.
SocksPort 9150
## SocksPort flag: OnionTrafficOnly
## Tell the tor client to only connect to .onion addresses in response to SOCKS5 requests on this connection.
## This is equivalent to NoDNSRequest, NoIPv4Traffic, NoIPv6Traffic.
#SocksPort 9150 OnionTrafficOnly

## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
## all (and only) requests that reach a SocksPort. Untrusted users who
## can access your SocksPort may be able to learn about the connections
## you make.
SocksPolicy accept 127.0.0.1
SocksPolicy reject *

## Tor will reject application connections that use unsafe variants of the socks protocol
## -- ones that only provide an IP address, meaning the application is doing a DNS resolve first.
## Specifically, these are socks4 and socks5 when not doing remote DNS.
#SafeSocks 1

## Tor will make a notice-level log entry for each connection to the Socks port indicating
## whether the request used a safe socks protocol or an unsafe one (see above entry on SafeSocks).
## This helps to determine whether an application using Tor is possibly leaking DNS requests.
#TestSocks 1

## A list of preferred nodes to use for the first hop in the circuit, if possible.
#EntryNodes $fingerprint,$fingerprint,...
## A list of preferred nodes to use for the last hop in the circuit, if possible.
#ExitNodes $fingerprint,$fingerprint,...
## A list of nodes to never use when building a circuit.
#ExcludeNodes Unnamed,default
## A list of nodes to never use when picking an exit. Nodes listed in ExcludeNodes are automatically in this list.
#ExcludeExitNodes $fingerprint,$fingerprint,..
#StrictNodes 1

#ClientUseIPv6 1
LongLivedPorts 51472
# Default: 21, 22, 706, 1863, 5050, 5190, 5222, 5223, 6523, 6667, 6697, 8300

~$ systemctl start tor@00
~$ systemctl start tor@01

To see if the tor daemon is running:
systemctl status _tor@00
systemctl status _tor@01
or '~$ journalctl -xe' to see if everything is ok
Nyx shows you detailed real-time information in color.

Download and set up the PIVX Core wallet

Get the latest release from: https://github.com/pivx-project/pivx/releases & adapt the version in the following examples!
You can use the following directories for this (/home/$user, /opt or /usr/local) I use here as an example:
/home/pivx/pivx-4.3.0

~$ su pivx
~$ cd /home/pivx
~$ wget https://github.com/PIVX-Project/PIVX/releases/download/v4.3.0/pivx-4.3.0-x86_64-linux-gnu.tar.gz
~$ wget https://github.com/PIVX-Project/PIVX/releases/download/v4.3.0/SHA256SUMS.asc

Verification of the binary files should be done prior to extracting, installing, or using the software!
~$ sha256sum -c SHA256SUMS.asc 2>&1 | grep OK

~$ tar -xvzf pivx-4.3.0-x86_64-linux-gnu.tar.gz
See details below at:
Installing Service Configuration: SPOILER="Hint: Service files"
~$ tar -zxvf /home/user/pivx-4.3.0-x86_64-linux-gnu.tar.gz --strip-components=1 -C pivx4
~$ tar -zxvf /home/pivx/pivx-4.3.0-x86_64-linux-gnu.tar.gz --strip-components=1 -C pivx4

Delete downloaded files. ( -i =Prompt before every removal. type 'y' and 'ENTER')
~$ rm -i pivx-4.3.0-x86_64-linux-gnu.tar.gz && rm -i SHA256SUMS.asc
~$ /home/pivx/pivx-4.3.0/bin/pivxd -daemon &

Install the PIVX Core wallet for each masternode.
I synchronize the blockchain on a masternode and do not load the snapshot.
It takes a few hours! You can copy them if several masternodes are set up.

Now, how to torify it:
But only when the blockchain is completely synchronized. The Tor network is slower and it creates unnecessary Tor traffic. All Tor relays are privately funded not by the Tor Project!
Notice: 3. Automatically listen on Tor

1. Essential: Adding both the user running Tor and the user running pivxd to the same group so that pivxd has the rights to use the Tor control port!
That's actually all, so that the pivxd (default config) automatically listen on Tor traffic (Debian default torrc config)
Example! (Replace user, pivx)
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli stop
~$ usermod -aG _tor-00 user
~$ usermod -aG _tor-01 pivx
~$ /home/pivx/pivx-4.3.0/bin/pivxd -daemon &

2. If everything works you will find your .onion address in the pivxd debug log ;-)
~$ grep "tor: Got service ID" /home/user/.pivx/debug.log
pivx@tor-proxy:~$ grep "tor: Got service ID" /home/pivx/.pivx/testnet4/debug.log
2020-09-29 22:28:27 tor: Got service ID vvitroeopey3h7i2, advertising service vvitroeopey3h7i2.onion:51474

This onion address is a real PIVX testnet node.

Configuration of your control wallet for Masternode and/or Staker wallet Cold Staking
You can do both at the same time from one controller wallet and your PIVX masternode can also do cold staking!
Read these instructions from the PIVX developers, admins or support staff:


~$ nano /home/user/.pivx/pivx.conf
Code:
## pivx.conf configuration file.
# Network-related settings:

# Run on the test network instead of the real pivx network.
#testnet=1

# Connect via a SOCKS5 proxy (default: 127.0.0.1:9050)
proxy=127.0.0.1:9050
#proxy=unix:/run/tor-instances/00/socks

# Use separate SOCKS5 proxy to reach peers via Tor hidden services (default: -proxy)
onion=127.0.0.1:9050

# Tor control port to use if onion listening enabled (default: 127.0.0.1:9051)
torcontrol=127.0.0.1:9051

# Listening mode, enabled by default except when 'connect' is being used
listen=1

# Maximum number of inbound+outbound connections. (default: 125)
maxconnections=256

# can be commented out if you use the service script
daemon=1

# Include IP addresses in debug output (default: 0)
#logips=1
# Prepend debug output with timestamp (default: 1)
#logtimestamps=1

# Bind to given address and always listen on it. Use [host]:port notation for IPv6
# TCP port: (default: 51472 or testnet: 51474)
bind=203.0.113.11
bind=[2001:db8:abc:a09::2]:51472
onlynet=onion
# replace with 'your .onion address'🔻
externalip=vvitroeopey3h7i2.onion

# Masternode options:

masternode=1
masternodeaddr=vvitroeopey3h7i2.onion:51472
masternodeprivkey=91v..............................................8K

#
# JSON-RPC options (for controlling a running Pivx/pivxd process)
#

# server=1 tells Pivx-QT to accept JSON-RPC commands,
# it is also read by pivxd to determine if RPC should be enabled.
server=1

# By default, only RPC connections from localhost are allowed.
# NOTE: opening up the RPC port to hosts outside your local trusted network is NOT RECOMMENDED,
# because the rpcpassword is transmitted over the network unencrypted.
#rpcallowip=[::1]
#rpcallowip=127.0.0.1

# If pivxd is run with the "-server" flag (set by default), and no rpcpassword is set, it will use a special cookie file for authentication.
#rpcuser=user
#rpcpassword=Mn1AkgiekiVe45bA

~$ nano /home/pivx/.pivx/pivx.conf
Code:
## pivx.conf configuration file.
# Network-related settings:

# Run on the test network instead of the real pivx network.
#testnet=1

# Connect via a SOCKS5 proxy (default: 127.0.0.1:9050)
proxy=127.0.0.1:9150
#proxy=unix:/run/tor-instances/00/socks

# Use separate SOCKS5 proxy to reach peers via Tor hidden services (default: -proxy)
onion=127.0.0.1:9150

# Tor control port to use if onion listening enabled (default: 127.0.0.1:9051)
torcontrol=127.0.0.1:9052

# Listening mode, enabled by default except when 'connect' is being used
listen=1

# Maximum number of inbound+outbound connections. (default: 125)
maxconnections=256

# can be commented out if you use the service script
daemon=1

# Include IP addresses in debug output (default: 0)
#logips=1
# Prepend debug output with timestamp (default: 1)
#logtimestamps=1

# Bind to given address and always listen on it. Use [host]:port notation for IPv6
# TCP port: (default: 51472 or testnet: 51474)
bind=203.0.113.12
bind=[2001:db8:abc:a09::2]:51472
onlynet=onion
# replace with 'your .onion address' 🔻
externalip=vvitroeopey3h7i2.onion

# Masternode options:

masternode=1
masternodeaddr=vvitroeopey3h7i2.onion:51472
masternodeprivkey=91v..............................................8K

#
# JSON-RPC options (for controlling a running Pivx/pivxd process)
#

# server=1 tells Pivx-QT to accept JSON-RPC commands,
# it is also read by pivxd to determine if RPC should be enabled.
server=1

# By default, only RPC connections from localhost are allowed.
# NOTE: opening up the RPC port to hosts outside your local trusted network is NOT RECOMMENDED,
# because the rpcpassword is transmitted over the network unencrypted.
#rpcallowip=[::1]
#rpcallowip=127.0.0.1

# If pivxd is run with the "-server" flag (set by default), and no rpcpassword is set, it will use a special cookie file for authentication.
#rpcuser=user
#rpcpassword=Mn1AkgiekiVe45bA

On the computer @ home with the Control wallet we have to put your .onion address in the masternode.conf.
You should also have installed and set up Tor @ home. ;) Remember: Tor and the user running pivxd must belong to the same group.
Example: mn1 vvitroeopey3h7i2.onion:51472 93HaYBVUCYjEMeeH1Y4sBGLALQZE1Yc1K64xiqgX37tGBDQL8Xg 2bcd3c84c84f87eaa86e4e56834c92927a07f9e18718810b92e0d0324456a67c 0

Installing Service Configuration:

~$ nano /lib/systemd/system/pivxd-00.service
Code:
# It is not recommended to modify this file in-place, because it will
# be overwritten during package upgrades. If you want to add further
# options or overwrite existing ones then use
# $ systemctl edit pivxd.service
# See "man systemd.service" for details.

# Note that almost all daemon options could be specified in
# /home/user/.pivx/pivx.conf

[Unit]
Description=PIVX daemon
After=network.target
Documentation=man:pivxd(1)

[Service]
ExecStart=/home/user/pivx4/bin/pivxd -daemon -datadir=/home/user/.pivx -conf=/home/user/.pivx/pivx.conf -pid=/run/pivxd-00/pivxd.pid
# Creates /run/pivxd-00 owned by user
RuntimeDirectory=pivxd-00
User=user
Type=forking
PIDFile=/run/pivxd-00/pivxd.pid
Restart=on-failure

# Hardening measures
####################

# Provide a private /tmp and /var/tmp.
PrivateTmp=true

# Mount /usr, /boot/ and /etc read-only for the process.
ProtectSystem=full

# Disallow the process and all of its children to gain
# new privileges through execve().
NoNewPrivileges=true

# Use a new /dev namespace only populated with API pseudo devices
# such as /dev/null, /dev/zero and /dev/random.
PrivateDevices=true

# Deny the creation of writable and executable memory mappings.
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target

~$ nano /lib/systemd/system/pivxd-01.service
Code:
# It is not recommended to modify this file in-place, because it will
# be overwritten during package upgrades. If you want to add further
# options or overwrite existing ones then use
# $ systemctl edit pivxd-01.service
# See "man systemd.service" for details.

# Note that almost all daemon options could be specified in
# /home/pivx/.pivx/pivx.conf

[Unit]
Description=PIVX daemon
After=network.target
Documentation=man:pivxd(1)

[Service]
ExecStart=/home/pivx/pivx4/bin/pivxd -daemon -datadir=/home/pivx/.pivx -conf=/home/pivx/.pivx/pivx.conf -pid=/run/pivxd-01/pivxd.pid
# Creates /run/pivxd-01 owned by pivx
RuntimeDirectory=pivxd-01
User=pivx
Type=forking
PIDFile=/run/pivxd-01/pivxd.pid
Restart=on-failure

# Hardening measures
####################

# Provide a private /tmp and /var/tmp.
PrivateTmp=true

# Mount /usr, /boot/ and /etc read-only for the process.
ProtectSystem=full

# Disallow the process and all of its children to gain
# new privileges through execve().
NoNewPrivileges=true

# Use a new /dev namespace only populated with API pseudo devices
# such as /dev/null, /dev/zero and /dev/random.
PrivateDevices=true

# Deny the creation of writable and executable memory mappings.
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target

Update systemd configuration:
~$ systemctl daemon-reload
This sets symlinks to our unit files. (/etc/systemd/system/multi-user.target.wants) This is specified in the unit file by WantedBy=multi-user.target
Multi-user.target is basically the closest equivalent of classic SysVinit runlevel 3.
Test them:
~$ systemctl start pivxd-00
~$ systemctl start pivxd-01
If successful enable for system startup:
~$ systemctl enable pivxd-00
~$ systemctl enable pivxd-01

With every wallet update the service files would have to be adjusted. That would be annoying.
That's why I install PIVX in the same folder 'pivx4' every time.
~$ tar -zxvf /home/user/pivx-4.3.0-x86_64-linux-gnu.tar.gz --strip-components=1 -C pivx4
The path in the service files above then corresponds accordingly:
ExecStart=/home/user/pivx4/bin/pivxd

Useful commands:
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli getnetworkinfo
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli getmasternodestatus
Sometimes the masternode cannot be started from the controller wallet. You can also enter this command directly on the masternode:
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli startmasternode local false

~$ /home/pivx/pivx-4.3.0/bin/pivx-cli liststakingaddresses
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli listdelegators
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli getstakingstatus
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli getcoldstakingbalance
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli listcoldutxos

~$ fail2ban-client status sshd
~$ fail2ban-client set sshd banip 123.123.123.123
~$ fail2ban-client set sshd unbanip 123.123.123.123
# List how often has an IP been blocked:
~$ awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n

~$ iptables -S -v
~$ ip6tables -S -v
~$ iptables -L -v
~$ ip6tables -L -v

Other useful packages:
~$ apt install man htop nullmailer logcheck logcheck-database

Intel & AMD CPUs support a native AES crypto acceleration. You can check if AES-NI is enabled:
~$ cat /proc/cpuinfo | grep aes

If your server has IPMI, you can activate it yourself in the BIOS ;-)
 
Last edited:
At the beginning, you state;

We need a VPN or bare metal root server.

I think you mean VPS.


In the file, nano /etc/iptables/rules.v4 , there is this reference.

the.ser.ver.ip2

Is that the server of where I am connecting from via SSH, or the VPS server? I am actually running a bare metal server, and it is on the LAN. So, is the IP I need to enter the public IP (WAN) or internal network IP (LAN)?

Do you have instructions for Fedora? I know Debian well, but prefer to stick with Fedora on this machine.
 
Probably best to leave Firewall and SSH access details, and PIVX installation to another Tutorial to make this one more clear.

Every set of instructions I see on the web to run multiple instances of Tor for multiple MN daemons, are extremely different. I'm sure everyone runs into that issue.

Should be organized like this:

Step 1: Installing Tor.

Step 2: Testing Tor installation.

Step 3: Configuring Tor for 2 instances.

Step 4: Testing 2 Tor instances running at the same time.

Step 5: Preparing Data Directories for each PIVX instance.

Step 6: Preparing Masternode.conf on controller wallet.

Step 7: Starting 2 instances of PIVX over Tor.

Step 8: Stopping specific instance of PIVX.

Make it dead simple.

Hope this helps!
 
At the beginning, you state;

We need a VPN or bare metal root server.

I think you mean VPS.
o_O Oh, yes. I changed it.
In the file, nano /etc/iptables/rules.v4 , there is this reference.

the.ser.ver.ip2

Is that the server of where I am connecting from via SSH, or the VPS server? I am actually running a bare metal server, and it is on the LAN. So, is the IP I need to enter the public IP (WAN) or internal network IP (LAN)?
Do you have instructions for Fedora? I know Debian well, but prefer to stick with Fedora on this machine.

Yes, that's the IP on the server. Your internal network IP (LAN) is right.
I only allow SSH access from WAN to one IPv4 and one IPV6. I forbid everything from WAN in and only open the ports that are needed.
SSH only from LAN is more secure. If only you are alone in the LAN, you can possibly allow everything. ( -A INPUT -s 192.168.0.1 -j ACCEPT )
(I only have bare metal servers, Supermicro blades 23-32, - € /month 16-32GB RAM. Traffic: umlimited) I have backup access via the IPMI interface over the LAN from the provider in the data center.

Code:
-A INPUT -s 192.168.0.1 -p tcp -d the.ser.ver.ip --dport 22 -i eth0 -j ACCEPT
--append INPUT --source IP --protocol tcp --destination IP --destnation_port 22 --interface eth0

Starting with Debian Buster, nf_tables is the default backend when using iptables. I have to switch to nft rules soon.

My last rpm based distri was from SuSe Linux AG from Nürnberg Germany. Before Novell bought it and renamed it to openSUSE. I only briefly looked at RedHat, Fedora, CentOS.

Probably best to leave Firewall and SSH access details, and PIVX installation to another Tutorial to make this one more clear.

Every set of instructions I see on the web to run multiple instances of Tor for multiple MN daemons, are extremely different. I'm sure everyone runs into that issue.

Should be organized like this:

Step 1: Installing Tor.

Step 2: Testing Tor installation.

Step 3: Configuring Tor for 2 instances.

Step 4: Testing 2 Tor instances running at the same time.

Step 5: Preparing Data Directories for each PIVX instance.

Step 6: Preparing Masternode.conf on controller wallet.

Step 7: Starting 2 instances of PIVX over Tor.

Step 8: Stopping specific instance of PIVX.

Make it dead simple.

Hope this helps!

The nice instances create script is specifically for Debian/Ubuntu with systemd service only. Other OS or old ones with sysinit must be set up 'by hand'. We have to rewrite that for the pivxd ;-)
The Tor Project created this for 1GB and 10GB interfaces because Tor is not ¹really multicore aware. A Tor-relay or Tor-exit has several 10,000 in & out connections.
Adonis asked a good question on the Discord Channel. I created a Tor instance for mainnet, one for testnet and one for a Tor bridge. However, you can run several pivxd over one Tor process. That is probably easier.
I'm doing an extra tutorial for the Tor installation. I'll start with Step 1-4.
For a quick and easy setup. SSH, Firewall & Tor I adapted a script for Debian 9 + 10. https://github.com/boldsuck/tor-relay-bootstrap (I have to change 'apt install' back to 'apt-get'. Use apt interactive and apt-get in scripts, is recommended.

It is difficult to write instructions for different systems. It starts with the systemd script. Adonis has one for rasberry. For Ubuntu 18 and Debian 9 + 10 this is correct from the PIVX githup. 64-Bit-ARM (AArch64) != 64-Bit-PC (AMD64)
Many program paths have changed from Debian 9 to 10.
/bin → /usr/bin
/sbin → /usr/sbin
/lib → /usr/lib
/run → /var/run
That's why almost all PIVX mn instructions are in '/home/user/' as user accounts and not service accounts.

¹On a quad core, however, a tor process is divided into several threads.

293
 
Top