[How-To] Meet Eth2 Staker Checklist requirements

It’s very important to keep your DAppNode properly configured for security and performance reasons.

Specially if you are staking or planning to stake, the Ethereum Foundation provides a checklist at the launchpad process highlighting some relevant points.

We want to help you get through them with this recommendations:

Security


1. Have you secured the root account?

If you have changed the host password in the UI then you are ok!. A request to change it is always prompted the first time you connect to your DAppNode. Once done, it will show this message under System > Security

2. Is SSH hardened on a random port?

DAppNode allows you to configure the ssh service in a personalized way.

Configure your SSH port and change it from the default 22. Furthermore, ssh service can be disabled/enabled when needed.

3. Do you have a firewall properly set up?

  • Make sure your Router have a firewall enabled
  • Check your router configuration to make sure your DAppNode is not the DMZ host

Future versions will assist you in ensuring this steps.

4. Are the necessary ports forwarded in the router to the correct machine(s)?

If you have enabled UPnP, DAppnode will take care of that for you. Otherwise, only open the ports that apply to your installation manually.

image

Configure time sync


1. For Ubuntu 20.04

  • Run timedatectl and check NTP Service is active.

    DAppNode runs on Debian, uses systemd-timesyncd and NTP Service is active - So you don’t have to worry about this.

  • Check if Local time, Time zone, and Universal time are all correct.

    Future DAppNode versions will allow you to set the correct local timezone but this does not affect you for staking, so you are OK.

Eth1 Client


Have you already installed and synced an Eth1 node on mainnet?

Just install an ETH1.X mainnet node as shown in the picture to match this requirement. There’s three available options at the moment.

Simulations


1. I have simulated how to manually stop and restart my Beacon Node (BN) and Validator Client (VC) gracefully.

You just need to go to the DAppNode UI > packages > Prysm and click restart

2. I have simulated power loss (server and internet) and automatic resumption.

DAppNode should start all the packages for you

3. I have simulated how to migrate from one Eth2 client to another Eth2 client.

  • Remove Prysm validator data volumes, completely remove the Prysm without data.

  • Wait for 5 finalized epochs after you removed the Prysm package.

    It’s very important to make sure the chain is finalizing, otherwise it’s better to wait.

  • After 5 finalized epochs import your keystores (you can derivate them again from the mnemonic) in a new validator.

Even if this whole process takes several hours your penalty will be really small, so be patient to avoid mistakes.

6 Likes

Awesome guide, few more question please :

-“Moreover, you can set your Validator Client (VC) and Beacon Node (BN) on separate machines and IPs so that even if your beacon node is vulnerable, your keystore is stored on a different machine.” is this something difficult to do with dappnode?

-How do you " Run timedatectl" I don’t see any command line interface

-If the computer I’m using to connect to dappnode through openVPN is infected, malicious attack are more likely to occur? Is it safer to disable openvpn and only use wifi to connect to dappnode? or only using tails to connect to dappnode?

thanks I’m really glad dappnode exist and there are thoses tutorials :slight_smile:

@ruvenni the simulation test should not be run on the test net, should be run on the real net once is validating?

I have an important question, how do I add validators to a dappnode I would like to test that? Thanks

You should at least try the simulations in a safe environment, and that means Prysm Pyrmont (test net!!!).

Same as I told you here

You can do it with DAppNode but setting two DAppNodes under the same network won’t match the requirement - they’ll be under the same IP - so you need two safe locations for them.

That’s only for Ubuntu and requires being capable of running terminal commands (not supported in the user interface).

Using an infected computer creates an attack vector, no matter if you are WiFi or VPN connected.

Ruvenni thanks for your answers!

I tried to used only tails on a usb stick to access my dappnode but it’s too difficult for me. What alternative you would recommend? An android those updated is fine? a usb stick with something easier to handle than tails? a fresh windows install?
Cheers

I don’t know what is ‘tails’ and what your are currently trying to do with it to be honest :sweat_smile:

tails is a usb stick with a secure OS.
It less likely to be infected when accessing the dappnode.

If i’m not home I can use the usb stick with tails on random computer to access my dappnode
But as I mentioned earlier it is too complicated for me to do this. I’m getting errors and can’t access my dappnode

I might do a secure usb stick with a windows OS.