boldsuck
New Pivian
I run server as a hobby and English is not my native language. Improvements and help is welcome.
There are many ways to do everything on UNIX systems. This is one of them. Use at your own risk!
(This is a work in process. I will do the Tor setup again. Tor multiple instances vs. one Tor process and multiple pivxd mn.) Last Edit: 12.10.2020 - PIVX v4.3.0
1. We need a VPS or bare metal root server.
And one IPv4 or IPv6 per master node! In this example, 2 IPv4 and 2 IPv6 are dual stack. Adding more IP's & masternodes should be self-explanatory.
Examples are for Debian or debian derivatives. (Ubuntu, etc.)
2. Generate a strong SSH key with a passphrase. (On your machine at home):
~$ ssh-keygen -t rsa -b 4096 -o -a 100 # Very compatible.
~$ ssh-keygen -o -a 100 -t ed25519 # Recommended! Faster in authentication & very secure.
Let's go, login to your server and configure some basic security:
~$ ssh [email protected]
Change the root password after the first login!
~$ passwd
Create a user for every masternode: (Only one user needs SSH key login.)
(Replace '$USER' with your desired username in all example commands. I have used user and pivx in all of the examples.)
~$ adduser user
~$ adduser pivx
Open a second terminal on your machine at home and copy your public SSH key to the server:
~$ ssh-copy-id -p 22 [email protected]
If the user login works with the SSH key then you can close the 2nd terminal.
~$ exit
To verify in the 1st terminal :
~$ grep "Accepted publickey for user" /var/log/auth.log
Back in the 1st terminal change or add the following sshd default settings: (reminder replace 'user')
~$ nano /etc/ssh/sshd_config
~$ service sshd reload # Reload will not drop existing connections.
In case you want to change the hostname:
~$ hostname hostname.domain.tld
~$ nano /etc/hostname
~$ nano /etc/hosts
Most hosters have only one IPv4 preconfigured. Configure IPv6 and possibly other IPv4.
~$ cp /etc/network/interfaces /etc/network/interfaces.bak # save the current config first!
~$ nano /etc/network/interfaces
Update software:
~$ apt update && apt full-upgrade
We need these packages:
(apt has been https capable since Debian 10 (buster) & apt-transport-https is only a dummy.)
~$ apt install lsb-release gpg wget apt-transport-https
Add official Tor repository:
~$ echo "deb https://deb.torproject.org/torproject.org `lsb_release -cs` main" >> /etc/apt/sources.list
And add the repo key:
~$ wget -O - https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | apt-key add -
Reread software package lists:
~$ apt update
Install missing software:
~$ apt install deb.torproject.org-keyring tor nyx tor-geoipdb tor-instances unattended-upgrades apt-listchanges sudo fail2ban iptables-persistent unbound ntp
Add one '$USER' account to the sudo group:
~$ usermod -aG sudo user
Configure automatic updates:
cp /usr/share/unattended-upgrades/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades
Configure unbound validating, recursive, caching DNS resolver:
~$ mv /etc/resolv.conf.bak
~$ nano /etc/resolv.conf
If unbound is installed, we only need this one line:
nameserver 127.0.0.1
Configure firewall (Examples, adjust IPs and Ports):
~$ nano /etc/iptables/rules.v4
~$ nano /etc/iptables/rules.v6
~$ chmod 600 /etc/iptables/rules.v4
~$ chmod 600 /etc/iptables/rules.v6
~$ iptables-restore < /etc/iptables/rules.v4
~$ ip6tables-restore < /etc/iptables/rules.v6
or
~$ reboot
Create 2 or more Tor instances:
~$ systemctl stop tor
~$ tor-instance-create 00
~$ tor-instance-create 01
~$ ...
~$ systemctl enable tor@00
~$ systemctl enable tor@01
~$ ...
~$ systemctl mask tor@default
Configure Tor instances:
I list the config for 2 Tor instances here. So that the difference to the default settings can be seen. The 3rd to the nth instance should then be clear.
I have commented out some useful options that I use.
~$ nano /etc/tor/instances/00/torrc
~$ nano /etc/tor/instances/01/torrc
~$ systemctl start tor@00
~$ systemctl start tor@01
To see if the tor daemon is running:
systemctl status _tor@00
systemctl status _tor@01
or '~$ journalctl -xe' to see if everything is ok
Nyx shows you detailed real-time information in color.
Download and set up the PIVX Core wallet
Get the latest release from: https://github.com/pivx-project/pivx/releases & adapt the version in the following examples!
You can use the following directories for this (/home/$user, /opt or /usr/local) I use here as an example:
/home/pivx/pivx-4.3.0
~$ su pivx
~$ cd /home/pivx
~$ wget https://github.com/PIVX-Project/PIVX/releases/download/v4.3.0/pivx-4.3.0-x86_64-linux-gnu.tar.gz
~$ wget https://github.com/PIVX-Project/PIVX/releases/download/v4.3.0/SHA256SUMS.asc
Verification of the binary files should be done prior to extracting, installing, or using the software!
~$ sha256sum -c SHA256SUMS.asc 2>&1 | grep OK
~$ tar -xvzf pivx-4.3.0-x86_64-linux-gnu.tar.gz
Delete downloaded files. ( -i =Prompt before every removal. type 'y' and 'ENTER')
~$ rm -i pivx-4.3.0-x86_64-linux-gnu.tar.gz && rm -i SHA256SUMS.asc
~$ /home/pivx/pivx-4.3.0/bin/pivxd -daemon &
Install the PIVX Core wallet for each masternode.
I synchronize the blockchain on a masternode and do not load the snapshot.
It takes a few hours! You can copy them if several masternodes are set up.
Now, how to torify it:
But only when the blockchain is completely synchronized. The Tor network is slower and it creates unnecessary Tor traffic. All Tor relays are privately funded not by the Tor Project!
Notice: 3. Automatically listen on Tor
1. Essential: Adding both the user running Tor and the user running pivxd to the same group so that pivxd has the rights to use the Tor control port!
That's actually all, so that the pivxd (default config) automatically listen on Tor traffic (Debian default torrc config)
Example! (Replace user, pivx)
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli stop
~$ usermod -aG _tor-00 user
~$ usermod -aG _tor-01 pivx
~$ /home/pivx/pivx-4.3.0/bin/pivxd -daemon &
2. If everything works you will find your .onion address in the pivxd debug log ;-)
~$ grep "tor: Got service ID" /home/user/.pivx/debug.log
Configuration of your control wallet for Masternode and/or Staker wallet Cold Staking
You can do both at the same time from one controller wallet and your PIVX masternode can also do cold staking!
Read these instructions from the PIVX developers, admins or support staff:
~$ nano /home/user/.pivx/pivx.conf
~$ nano /home/pivx/.pivx/pivx.conf
On the computer @ home with the Control wallet we have to put your .onion address in the masternode.conf.
You should also have installed and set up Tor @ home. Remember: Tor and the user running pivxd must belong to the same group.
Example: mn1 vvitroeopey3h7i2.onion:51472 93HaYBVUCYjEMeeH1Y4sBGLALQZE1Yc1K64xiqgX37tGBDQL8Xg 2bcd3c84c84f87eaa86e4e56834c92927a07f9e18718810b92e0d0324456a67c 0
Installing Service Configuration:
~$ nano /lib/systemd/system/pivxd-00.service
~$ nano /lib/systemd/system/pivxd-01.service
Update systemd configuration:
~$ systemctl daemon-reload
Test them:
~$ systemctl start pivxd-00
~$ systemctl start pivxd-01
If successful enable for system startup:
~$ systemctl enable pivxd-00
~$ systemctl enable pivxd-01
Useful commands:
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli getnetworkinfo
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli getmasternodestatus
Sometimes the masternode cannot be started from the controller wallet. You can also enter this command directly on the masternode:
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli startmasternode local false
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli liststakingaddresses
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli listdelegators
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli getstakingstatus
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli getcoldstakingbalance
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli listcoldutxos
~$ fail2ban-client status sshd
~$ fail2ban-client set sshd banip 123.123.123.123
~$ fail2ban-client set sshd unbanip 123.123.123.123
# List how often has an IP been blocked:
~$ awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n
~$ iptables -S -v
~$ ip6tables -S -v
~$ iptables -L -v
~$ ip6tables -L -v
Other useful packages:
~$ apt install man htop nullmailer logcheck logcheck-database
Intel & AMD CPUs support a native AES crypto acceleration. You can check if AES-NI is enabled:
~$ cat /proc/cpuinfo | grep aes
If your server has IPMI, you can activate it yourself in the BIOS ;-)
There are many ways to do everything on UNIX systems. This is one of them. Use at your own risk!
(This is a work in process. I will do the Tor setup again. Tor multiple instances vs. one Tor process and multiple pivxd mn.) Last Edit: 12.10.2020 - PIVX v4.3.0
1. We need a VPS or bare metal root server.
And one IPv4 or IPv6 per master node! In this example, 2 IPv4 and 2 IPv6 are dual stack. Adding more IP's & masternodes should be self-explanatory.
Examples are for Debian or debian derivatives. (Ubuntu, etc.)
2. Generate a strong SSH key with a passphrase. (On your machine at home):
~$ ssh-keygen -t rsa -b 4096 -o -a 100 # Very compatible.
~$ ssh-keygen -o -a 100 -t ed25519 # Recommended! Faster in authentication & very secure.
Let's go, login to your server and configure some basic security:
~$ ssh [email protected]
Change the root password after the first login!
~$ passwd
Create a user for every masternode: (Only one user needs SSH key login.)
(Replace '$USER' with your desired username in all example commands. I have used user and pivx in all of the examples.)
~$ adduser user
~$ adduser pivx
Open a second terminal on your machine at home and copy your public SSH key to the server:
~$ ssh-copy-id -p 22 [email protected]
user@home2ndterninal:~$ ssh-copy-id -p 22 [email protected]
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '22' '[email protected]"
and check to make sure that only the key(s) you wanted were added.
user@home2ndterninal:~$ ssh -p '22' '[email protected]'
Enter passphrase for key '/home/user/.ssh/id_ed25519':
Linux localhost 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[email protected]:~$ exit
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '22' '[email protected]"
and check to make sure that only the key(s) you wanted were added.
user@home2ndterninal:~$ ssh -p '22' '[email protected]'
Enter passphrase for key '/home/user/.ssh/id_ed25519':
Linux localhost 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[email protected]:~$ exit
~$ exit
To verify in the 1st terminal :
~$ grep "Accepted publickey for user" /var/log/auth.log
Every next time you log in, you will be asked for your SSH key passphrase:
No more password is sent over the network! You enter the password for your private SSH key that is on your laptop.
(Using the -p <port> option is not nessessary for default SSH port 22)
~$ ssh [email protected]
On your machine at home you can set up an alias for lazy SSH logins in .bashrc
Example: ( alias mn1='ssh [email protected]' )
Then you just have to type 'mn1' into the terminal to connect to the server ;-)
On a private computer which you trust 'SSH-AskPass' is your friend.
Switch to root:
(If sudo is set up later we can put 'sudo' before every command and no longer have to work as root)
Use 'su -' since Debian Buster! I've added an alias to user's .bashrc to avoid making mistakes. ( alias su='su -' )
~$ su -
No more password is sent over the network! You enter the password for your private SSH key that is on your laptop.
(Using the -p <port> option is not nessessary for default SSH port 22)
~$ ssh [email protected]
On your machine at home you can set up an alias for lazy SSH logins in .bashrc
Example: ( alias mn1='ssh [email protected]' )
Then you just have to type 'mn1' into the terminal to connect to the server ;-)
On a private computer which you trust 'SSH-AskPass' is your friend.
Switch to root:
(If sudo is set up later we can put 'sudo' before every command and no longer have to work as root)
Use 'su -' since Debian Buster! I've added an alias to user's .bashrc to avoid making mistakes. ( alias su='su -' )
~$ su -
Back in the 1st terminal change or add the following sshd default settings: (reminder replace 'user')
~$ nano /etc/ssh/sshd_config
save a file = [CTRL]+O
quit the editor = [CTRL]+X
quit the editor = [CTRL]+X
Code:
# Authentication:
AllowUsers user
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
X11Forwarding no
~$ service sshd reload # Reload will not drop existing connections.
In case you want to change the hostname:
~$ hostname hostname.domain.tld
~$ nano /etc/hostname
~$ nano /etc/hosts
Most hosters have only one IPv4 preconfigured. Configure IPv6 and possibly other IPv4.
~$ cp /etc/network/interfaces /etc/network/interfaces.bak # save the current config first!
~$ nano /etc/network/interfaces
Code:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
#iface lo inet6 loopback
# The primary network interface Attention! Adjust interface name: enp2s0
allow-hotplug enp2s0
iface enp2s0 inet static
address 203.0.113.11
netmask 255.255.255.255
gateway 203.0.113.1
up ip addr add 203.0.113.12/32 dev enp2s0 label enp2s0:0
down ip addr del 203.0.113.12/32 dev enp2s0 label enp2s0:0
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 127.0.0.1 ns1-provider ns2-provider
dns-search your-domain.tld
iface enp2s0 inet6 static
# If you're lucky, provider specifies IPv6 2001:db8:abc:a00/64 and gateway 2001:db8:abc:a00::1 or often gateway fe80::1. Than that's enough:
#address 2001:db8:abc:a00::2
#netmask 64
#gateway 2001:db8:abc:a00::1 or gateway fe80::1
#up ip -6 addr add 2001:db8:abc:a00::3/64 dev enp2s0
#down ip -6 addr del 2001:db8:abc:a00::3/64 dev enp2s0
#dns-nameservers ::1 ipv6-ns1-provider ipv6-ns2-provider
## But IPv6 and gateway are often in different subnets. For newbies, I think one of the most common pitfalls with IPv6:
## Provider specifies IPv6 2001:db8:abc:a09/64 and gateway 2001:db8:abc:a00::1 (Notice diff. subnets :a09 und :a00)
address 2001:db8:abc:a09::2
netmask 64
up ip -6 addr add 2001:db8:abc:a09::3/64 dev enp2s0
post-up ip -6 route add 2001:db8:abc:a00::1 dev enp2s0
post-up ip -6 route add default via 2001:db8:abc:a00::1
pre-down ip -6 route del default via 2001:db8:abc:a00::1
pre-down ip -6 route del 2001:db8:abc:a00::1 dev enp2s0
down ip -6 addr del 2001:db8:abc:a09::3/64 dev enp2s0
dns-nameservers ::1 ipv6-ns1-provider ipv6-ns2-provider
Update software:
~$ apt update && apt full-upgrade
We need these packages:
(apt has been https capable since Debian 10 (buster) & apt-transport-https is only a dummy.)
~$ apt install lsb-release gpg wget apt-transport-https
Add official Tor repository:
~$ echo "deb https://deb.torproject.org/torproject.org `lsb_release -cs` main" >> /etc/apt/sources.list
And add the repo key:
~$ wget -O - https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | apt-key add -
Reread software package lists:
~$ apt update
Install missing software:
~$ apt install deb.torproject.org-keyring tor nyx tor-geoipdb tor-instances unattended-upgrades apt-listchanges sudo fail2ban iptables-persistent unbound ntp
Add one '$USER' account to the sudo group:
~$ usermod -aG sudo user
Configure automatic updates:
cp /usr/share/unattended-upgrades/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades
Configure unbound validating, recursive, caching DNS resolver:
~$ mv /etc/resolv.conf.bak
~$ nano /etc/resolv.conf
If unbound is installed, we only need this one line:
nameserver 127.0.0.1
Configure firewall (Examples, adjust IPs and Ports):
~$ nano /etc/iptables/rules.v4
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
## Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0.
-A INPUT -i lo -j ACCEPT
## Allow incoming SSH, only on one IP:
-A INPUT -p tcp -d 203.0.113.11 --dport 22 -j ACCEPT
## Allow Tor-Bridge ORPort, ListenAddr:
#-A INPUT -p tcp -d 203.0.113.11 --dport 443 -j ACCEPT
#-A INPUT -p tcp -d 203.0.113.11 --dport 80 -j ACCEPT
## Allow pivxd-1:
-A INPUT -p tcp -d 203.0.113.11 --dport 51472 -j ACCEPT
## Allow pivxd-2:
-A INPUT -p tcp -d 203.0.113.12 --dport 51472 -j ACCEPT
## ratelimit ICMP echo, allow all others
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j DROP
-A INPUT -p icmp -j ACCEPT
## to log denied packets uncomment this line
#-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
COMMIT
~$ nano /etc/iptables/rules.v6
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
## Allows all loopback (lo0) traffic and drop all traffic to ::1/128 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
## Allow incoming SSH, only on one IP:
-A INPUT -p tcp -d 2001:db8:abc:a09::2 --dport 22 -j ACCEPT
## Allow Tor-Bridge ORPort, ListenAddr:
#-A INPUT -p tcp -d 2001:db8:abc:a09::2 --dport 443 -j ACCEPT
#-A INPUT -p tcp -d 2001:db8:abc:a09::2 --dport 80 -j ACCEPT
## Allow pivxd-1:
-A INPUT -p tcp -d 2001:db8:abc:a09::2 --dport 51472 -j ACCEPT
## Allow pivxd-2:
-A INPUT -p tcp -d 2001:db8:abc:a09::3 --dport 51472 -j ACCEPT
## ratelimit ICMP echo, allow all others
-A INPUT -p ipv6-icmp --icmpv6-type echo-request -m limit --limit 2/s -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type echo-request -j DROP
-A INPUT -p ipv6-icmp -j ACCEPT
## to log denied packets uncomment this line
#-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
COMMIT
~$ chmod 600 /etc/iptables/rules.v4
~$ chmod 600 /etc/iptables/rules.v6
~$ iptables-restore < /etc/iptables/rules.v4
~$ ip6tables-restore < /etc/iptables/rules.v6
Adjust interface name: enp2s0. Reliable, or you must push the 'virtual' power button!
On VPS systems mostly eth0
~$ /etc/init.d/networking restart; ifup enp2s0
On VPS systems mostly eth0
~$ /etc/init.d/networking restart; ifup enp2s0
~$ reboot
Create 2 or more Tor instances:
~$ systemctl stop tor
installs a helper script on a Debian or Ubuntu system. On other distributions you have to do all of this by hand what this script does!
~$ tor-instance-create 01
~$ ...
~$ systemctl enable tor@00
~$ systemctl enable tor@01
~$ ...
~$ systemctl mask tor@default
Configure Tor instances:
I list the config for 2 Tor instances here. So that the difference to the default settings can be seen. The 3rd to the nth instance should then be clear.
I have commented out some useful options that I use.
~$ nano /etc/tor/instances/00/torrc
Code:
# This is the tor configuration file for tor instance 00.
#
# To start/reload/etc this instance, run "systemctl start tor@00" (or reload, or..).
# This instance will run as user _tor-00; its data directory is /var/lib/tor-instances/00.
## ControlPort and authentication cookie for tor-arm, nyx, pivxd
## Start nyx: ~$ nyx -i 9051
## Hint: alias to user's .bashrc ( alias nyx00='nyx -i 9051' )
ControlPort 9051
#CookieAuthentication 1
## Tor opens a socks proxy on port 9050 by default -- even if you don't configure one below.
SocksPort 9050
## SocksPort flag: OnionTrafficOnly
## Tell the tor client to only connect to .onion addresses in response to SOCKS5 requests on this connection.
## This is equivalent to NoDNSRequest, NoIPv4Traffic, NoIPv6Traffic.
#SocksPort 9050 OnionTrafficOnly
## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
## all (and only) requests that reach a SocksPort. Untrusted users who
## can access your SocksPort may be able to learn about the connections
## you make.
SocksPolicy accept 127.0.0.1
SocksPolicy reject *
## Tor will reject application connections that use unsafe variants of the socks protocol
## -- ones that only provide an IP address, meaning the application is doing a DNS resolve first.
## Specifically, these are socks4 and socks5 when not doing remote DNS.
#SafeSocks 1
## Tor will make a notice-level log entry for each connection to the Socks port indicating
## whether the request used a safe socks protocol or an unsafe one (see above entry on SafeSocks).
## This helps to determine whether an application using Tor is possibly leaking DNS requests.
#TestSocks 1
## A list of preferred nodes to use for the first hop in the circuit, if possible.
#EntryNodes $fingerprint,$fingerprint,...
## A list of preferred nodes to use for the last hop in the circuit, if possible. (Hint: OnionTraffic don't exit Tor network)
#ExitNodes $fingerprint,$fingerprint,...
## A list of nodes to never use when building a circuit.
#ExcludeNodes Unnamed,default
## A list of nodes to never use when picking an exit. Nodes listed in ExcludeNodes are automatically in this list.
#ExcludeExitNodes $fingerprint,$fingerprint,..
#StrictNodes 1
#ClientUseIPv6 1
LongLivedPorts 51472
# Default: 21, 22, 706, 1863, 5050, 5190, 5222, 5223, 6523, 6667, 6697, 8300
~$ nano /etc/tor/instances/01/torrc
Code:
# This is the tor configuration file for tor instance 01.
#
# To start/reload/etc this instance, run "systemctl start tor@01" (or reload, or..).
# This instance will run as user _tor-01; its data directory is /var/lib/tor-instances/01.
## ControlPort and authentication cookie for tor-arm, nyx, pivxd
## Start nyx: ~$ nyx -i 9052
## Hint: alias to user's .bashrc ( alias nyx01='nyx -i 9052' )
ControlPort 9052
#CookieAuthentication 1
## Tor opens a socks proxy on port 9050 by default -- even if you don't configure one below.
SocksPort 9150
## SocksPort flag: OnionTrafficOnly
## Tell the tor client to only connect to .onion addresses in response to SOCKS5 requests on this connection.
## This is equivalent to NoDNSRequest, NoIPv4Traffic, NoIPv6Traffic.
#SocksPort 9150 OnionTrafficOnly
## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
## all (and only) requests that reach a SocksPort. Untrusted users who
## can access your SocksPort may be able to learn about the connections
## you make.
SocksPolicy accept 127.0.0.1
SocksPolicy reject *
## Tor will reject application connections that use unsafe variants of the socks protocol
## -- ones that only provide an IP address, meaning the application is doing a DNS resolve first.
## Specifically, these are socks4 and socks5 when not doing remote DNS.
#SafeSocks 1
## Tor will make a notice-level log entry for each connection to the Socks port indicating
## whether the request used a safe socks protocol or an unsafe one (see above entry on SafeSocks).
## This helps to determine whether an application using Tor is possibly leaking DNS requests.
#TestSocks 1
## A list of preferred nodes to use for the first hop in the circuit, if possible.
#EntryNodes $fingerprint,$fingerprint,...
## A list of preferred nodes to use for the last hop in the circuit, if possible.
#ExitNodes $fingerprint,$fingerprint,...
## A list of nodes to never use when building a circuit.
#ExcludeNodes Unnamed,default
## A list of nodes to never use when picking an exit. Nodes listed in ExcludeNodes are automatically in this list.
#ExcludeExitNodes $fingerprint,$fingerprint,..
#StrictNodes 1
#ClientUseIPv6 1
LongLivedPorts 51472
# Default: 21, 22, 706, 1863, 5050, 5190, 5222, 5223, 6523, 6667, 6697, 8300
~$ systemctl start tor@00
~$ systemctl start tor@01
To see if the tor daemon is running:
systemctl status _tor@00
systemctl status _tor@01
or '~$ journalctl -xe' to see if everything is ok
Nyx shows you detailed real-time information in color.
Download and set up the PIVX Core wallet
Get the latest release from: https://github.com/pivx-project/pivx/releases & adapt the version in the following examples!
You can use the following directories for this (/home/$user, /opt or /usr/local) I use here as an example:
/home/pivx/pivx-4.3.0
~$ su pivx
~$ cd /home/pivx
~$ wget https://github.com/PIVX-Project/PIVX/releases/download/v4.3.0/pivx-4.3.0-x86_64-linux-gnu.tar.gz
~$ wget https://github.com/PIVX-Project/PIVX/releases/download/v4.3.0/SHA256SUMS.asc
Verification of the binary files should be done prior to extracting, installing, or using the software!
~$ sha256sum -c SHA256SUMS.asc 2>&1 | grep OK
~$ tar -xvzf pivx-4.3.0-x86_64-linux-gnu.tar.gz
See details below at:
Installing Service Configuration: SPOILER="Hint: Service files"
~$ tar -zxvf /home/user/pivx-4.3.0-x86_64-linux-gnu.tar.gz --strip-components=1 -C pivx4
~$ tar -zxvf /home/pivx/pivx-4.3.0-x86_64-linux-gnu.tar.gz --strip-components=1 -C pivx4
Installing Service Configuration: SPOILER="Hint: Service files"
~$ tar -zxvf /home/user/pivx-4.3.0-x86_64-linux-gnu.tar.gz --strip-components=1 -C pivx4
~$ tar -zxvf /home/pivx/pivx-4.3.0-x86_64-linux-gnu.tar.gz --strip-components=1 -C pivx4
Delete downloaded files. ( -i =Prompt before every removal. type 'y' and 'ENTER')
~$ rm -i pivx-4.3.0-x86_64-linux-gnu.tar.gz && rm -i SHA256SUMS.asc
~$ /home/pivx/pivx-4.3.0/bin/pivxd -daemon &
Install the PIVX Core wallet for each masternode.
I synchronize the blockchain on a masternode and do not load the snapshot.
It takes a few hours! You can copy them if several masternodes are set up.
Now, how to torify it:
But only when the blockchain is completely synchronized. The Tor network is slower and it creates unnecessary Tor traffic. All Tor relays are privately funded not by the Tor Project!
PIVX-Project/PIVX
Private Instant Verified Transactions - Core wallet. - PIVX-Project/PIVX
github.com
1. Essential: Adding both the user running Tor and the user running pivxd to the same group so that pivxd has the rights to use the Tor control port!
That's actually all, so that the pivxd (default config) automatically listen on Tor traffic (Debian default torrc config)
Example! (Replace user, pivx)
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli stop
~$ usermod -aG _tor-00 user
~$ usermod -aG _tor-01 pivx
~$ /home/pivx/pivx-4.3.0/bin/pivxd -daemon &
2. If everything works you will find your .onion address in the pivxd debug log ;-)
~$ grep "tor: Got service ID" /home/user/.pivx/debug.log
pivx@tor-proxy:~$ grep "tor: Got service ID" /home/pivx/.pivx/testnet4/debug.log
2020-09-29 22:28:27 tor: Got service ID vvitroeopey3h7i2, advertising service vvitroeopey3h7i2.onion:51474
This onion address is a real PIVX testnet node.
2020-09-29 22:28:27 tor: Got service ID vvitroeopey3h7i2, advertising service vvitroeopey3h7i2.onion:51474
This onion address is a real PIVX testnet node.
Configuration of your control wallet for Masternode and/or Staker wallet Cold Staking
You can do both at the same time from one controller wallet and your PIVX masternode can also do cold staking!
Read these instructions from the PIVX developers, admins or support staff:
A PIVX Cold Staking How-To
Cold staking requires two PIVX wallets: one to hold the funds (this can be also a hardware wallet and does not need to be always online) and another one, the hot-node, to do the staking (this needs…
pivx.org
~$ nano /home/user/.pivx/pivx.conf
Code:
## pivx.conf configuration file.
# Network-related settings:
# Run on the test network instead of the real pivx network.
#testnet=1
# Connect via a SOCKS5 proxy (default: 127.0.0.1:9050)
proxy=127.0.0.1:9050
#proxy=unix:/run/tor-instances/00/socks
# Use separate SOCKS5 proxy to reach peers via Tor hidden services (default: -proxy)
onion=127.0.0.1:9050
# Tor control port to use if onion listening enabled (default: 127.0.0.1:9051)
torcontrol=127.0.0.1:9051
# Listening mode, enabled by default except when 'connect' is being used
listen=1
# Maximum number of inbound+outbound connections. (default: 125)
maxconnections=256
# can be commented out if you use the service script
daemon=1
# Include IP addresses in debug output (default: 0)
#logips=1
# Prepend debug output with timestamp (default: 1)
#logtimestamps=1
# Bind to given address and always listen on it. Use [host]:port notation for IPv6
# TCP port: (default: 51472 or testnet: 51474)
bind=203.0.113.11
bind=[2001:db8:abc:a09::2]:51472
onlynet=onion
# replace with 'your .onion address'🔻
externalip=vvitroeopey3h7i2.onion
# Masternode options:
masternode=1
masternodeaddr=vvitroeopey3h7i2.onion:51472
masternodeprivkey=91v..............................................8K
#
# JSON-RPC options (for controlling a running Pivx/pivxd process)
#
# server=1 tells Pivx-QT to accept JSON-RPC commands,
# it is also read by pivxd to determine if RPC should be enabled.
server=1
# By default, only RPC connections from localhost are allowed.
# NOTE: opening up the RPC port to hosts outside your local trusted network is NOT RECOMMENDED,
# because the rpcpassword is transmitted over the network unencrypted.
#rpcallowip=[::1]
#rpcallowip=127.0.0.1
# If pivxd is run with the "-server" flag (set by default), and no rpcpassword is set, it will use a special cookie file for authentication.
#rpcuser=user
#rpcpassword=Mn1AkgiekiVe45bA
~$ nano /home/pivx/.pivx/pivx.conf
Code:
## pivx.conf configuration file.
# Network-related settings:
# Run on the test network instead of the real pivx network.
#testnet=1
# Connect via a SOCKS5 proxy (default: 127.0.0.1:9050)
proxy=127.0.0.1:9150
#proxy=unix:/run/tor-instances/00/socks
# Use separate SOCKS5 proxy to reach peers via Tor hidden services (default: -proxy)
onion=127.0.0.1:9150
# Tor control port to use if onion listening enabled (default: 127.0.0.1:9051)
torcontrol=127.0.0.1:9052
# Listening mode, enabled by default except when 'connect' is being used
listen=1
# Maximum number of inbound+outbound connections. (default: 125)
maxconnections=256
# can be commented out if you use the service script
daemon=1
# Include IP addresses in debug output (default: 0)
#logips=1
# Prepend debug output with timestamp (default: 1)
#logtimestamps=1
# Bind to given address and always listen on it. Use [host]:port notation for IPv6
# TCP port: (default: 51472 or testnet: 51474)
bind=203.0.113.12
bind=[2001:db8:abc:a09::2]:51472
onlynet=onion
# replace with 'your .onion address' 🔻
externalip=vvitroeopey3h7i2.onion
# Masternode options:
masternode=1
masternodeaddr=vvitroeopey3h7i2.onion:51472
masternodeprivkey=91v..............................................8K
#
# JSON-RPC options (for controlling a running Pivx/pivxd process)
#
# server=1 tells Pivx-QT to accept JSON-RPC commands,
# it is also read by pivxd to determine if RPC should be enabled.
server=1
# By default, only RPC connections from localhost are allowed.
# NOTE: opening up the RPC port to hosts outside your local trusted network is NOT RECOMMENDED,
# because the rpcpassword is transmitted over the network unencrypted.
#rpcallowip=[::1]
#rpcallowip=127.0.0.1
# If pivxd is run with the "-server" flag (set by default), and no rpcpassword is set, it will use a special cookie file for authentication.
#rpcuser=user
#rpcpassword=Mn1AkgiekiVe45bA
On the computer @ home with the Control wallet we have to put your .onion address in the masternode.conf.
You should also have installed and set up Tor @ home. Remember: Tor and the user running pivxd must belong to the same group.
Example: mn1 vvitroeopey3h7i2.onion:51472 93HaYBVUCYjEMeeH1Y4sBGLALQZE1Yc1K64xiqgX37tGBDQL8Xg 2bcd3c84c84f87eaa86e4e56834c92927a07f9e18718810b92e0d0324456a67c 0
Installing Service Configuration:
PIVX-Project/PIVX
Private Instant Verified Transactions - Core wallet. - PIVX-Project/PIVX
github.com
~$ nano /lib/systemd/system/pivxd-00.service
Code:
# It is not recommended to modify this file in-place, because it will
# be overwritten during package upgrades. If you want to add further
# options or overwrite existing ones then use
# $ systemctl edit pivxd.service
# See "man systemd.service" for details.
# Note that almost all daemon options could be specified in
# /home/user/.pivx/pivx.conf
[Unit]
Description=PIVX daemon
After=network.target
Documentation=man:pivxd(1)
[Service]
ExecStart=/home/user/pivx4/bin/pivxd -daemon -datadir=/home/user/.pivx -conf=/home/user/.pivx/pivx.conf -pid=/run/pivxd-00/pivxd.pid
# Creates /run/pivxd-00 owned by user
RuntimeDirectory=pivxd-00
User=user
Type=forking
PIDFile=/run/pivxd-00/pivxd.pid
Restart=on-failure
# Hardening measures
####################
# Provide a private /tmp and /var/tmp.
PrivateTmp=true
# Mount /usr, /boot/ and /etc read-only for the process.
ProtectSystem=full
# Disallow the process and all of its children to gain
# new privileges through execve().
NoNewPrivileges=true
# Use a new /dev namespace only populated with API pseudo devices
# such as /dev/null, /dev/zero and /dev/random.
PrivateDevices=true
# Deny the creation of writable and executable memory mappings.
MemoryDenyWriteExecute=true
[Install]
WantedBy=multi-user.target
~$ nano /lib/systemd/system/pivxd-01.service
Code:
# It is not recommended to modify this file in-place, because it will
# be overwritten during package upgrades. If you want to add further
# options or overwrite existing ones then use
# $ systemctl edit pivxd-01.service
# See "man systemd.service" for details.
# Note that almost all daemon options could be specified in
# /home/pivx/.pivx/pivx.conf
[Unit]
Description=PIVX daemon
After=network.target
Documentation=man:pivxd(1)
[Service]
ExecStart=/home/pivx/pivx4/bin/pivxd -daemon -datadir=/home/pivx/.pivx -conf=/home/pivx/.pivx/pivx.conf -pid=/run/pivxd-01/pivxd.pid
# Creates /run/pivxd-01 owned by pivx
RuntimeDirectory=pivxd-01
User=pivx
Type=forking
PIDFile=/run/pivxd-01/pivxd.pid
Restart=on-failure
# Hardening measures
####################
# Provide a private /tmp and /var/tmp.
PrivateTmp=true
# Mount /usr, /boot/ and /etc read-only for the process.
ProtectSystem=full
# Disallow the process and all of its children to gain
# new privileges through execve().
NoNewPrivileges=true
# Use a new /dev namespace only populated with API pseudo devices
# such as /dev/null, /dev/zero and /dev/random.
PrivateDevices=true
# Deny the creation of writable and executable memory mappings.
MemoryDenyWriteExecute=true
[Install]
WantedBy=multi-user.target
Update systemd configuration:
~$ systemctl daemon-reload
This sets symlinks to our unit files. (/etc/systemd/system/multi-user.target.wants) This is specified in the unit file by WantedBy=multi-user.target
Multi-user.target is basically the closest equivalent of classic SysVinit runlevel 3.
Multi-user.target is basically the closest equivalent of classic SysVinit runlevel 3.
~$ systemctl start pivxd-00
~$ systemctl start pivxd-01
If successful enable for system startup:
~$ systemctl enable pivxd-00
~$ systemctl enable pivxd-01
With every wallet update the service files would have to be adjusted. That would be annoying.
That's why I install PIVX in the same folder 'pivx4' every time.
~$ tar -zxvf /home/user/pivx-4.3.0-x86_64-linux-gnu.tar.gz --strip-components=1 -C pivx4
The path in the service files above then corresponds accordingly:
ExecStart=/home/user/pivx4/bin/pivxd
That's why I install PIVX in the same folder 'pivx4' every time.
~$ tar -zxvf /home/user/pivx-4.3.0-x86_64-linux-gnu.tar.gz --strip-components=1 -C pivx4
The path in the service files above then corresponds accordingly:
ExecStart=/home/user/pivx4/bin/pivxd
Useful commands:
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli getnetworkinfo
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli getmasternodestatus
Sometimes the masternode cannot be started from the controller wallet. You can also enter this command directly on the masternode:
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli startmasternode local false
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli liststakingaddresses
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli listdelegators
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli getstakingstatus
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli getcoldstakingbalance
~$ /home/pivx/pivx-4.3.0/bin/pivx-cli listcoldutxos
~$ fail2ban-client status sshd
~$ fail2ban-client set sshd banip 123.123.123.123
~$ fail2ban-client set sshd unbanip 123.123.123.123
# List how often has an IP been blocked:
~$ awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n
~$ iptables -S -v
~$ ip6tables -S -v
~$ iptables -L -v
~$ ip6tables -L -v
Other useful packages:
~$ apt install man htop nullmailer logcheck logcheck-database
Intel & AMD CPUs support a native AES crypto acceleration. You can check if AES-NI is enabled:
~$ cat /proc/cpuinfo | grep aes
If your server has IPMI, you can activate it yourself in the BIOS ;-)
Last edited: