# Collection of Tools, Scripts & Templates ## Ethereum-Specific
ToolsRisk mitigationDescriptionPurposeLinks
DoppelbusterSLS1
SLS14
SLS15		This tool operates independently from the Ethereum validator client, providing an extra layer of protection against double signing.prevent double signinghttps://github.com/SimplyStaking/DoppelBuster
ethereum-validators-monitoringGIR4Ethereum validators monitoring bot aimed to keep track of the validators performancemonitoring + alertshttps://github.com/lidofinance/ethereum-validators-monitoring
eth-block-proposal-monitorGIR4Monitor block proposals and rewards of validatorsmonitoring + alertshttps://github.com/SimplyStaking/eth-block-proposal-monitor
esdGIR4Watches for slashing events included on the Ethereum beacon chain and runs a script when foundmonitoring slashinghttps://github.com/attestantio/esd
vouch + dirkSLS1
DOW1
DOW2
DOW6
DOW7		Splits your validator keys and replaces the standard validator client software.multi-node validator clienthttps://github.com/attestantio/vouch
https://github.com/attestantio/dirk
web3signer
SLS1
DOW1
DOW2
DOW6
DOW7		Can sign on multiple platforms using private keys stored in an external vault, or encrypted on a diskvalidator clienthttps://github.com/Consensys/web3signer
## Monitoring
ToolsRisk mitigationDescriptionPurposeLinks
GrafanaGIR4
DOW1
DOW2
DOW3
DOW7
DOW15		Observability and data visualization platformmonitoring + alertshttps://grafana.com/docs/https://github.com/grafana/grafana
PrometheusGIR4
DOW1
DOW2
DOW3
DOW7
DOW15		Monitoring system and time series database.monitoring + alertshttps://prometheus.io/docs/introduction/overview/https://github.com/prometheus/prometheus
## Inventory tracking
ToolsRisk mitigationDescriptionPurposeLinks
Internal WikiKEC9Keep an updated inventory list, including the server type, purpose, and responsible team.trackinghttps://www.jetbrains.com/help/youtrack/server/knowledge-base.html
arp-scan, arpwatchKEC4
KEC7
SLS12
SLS13		Use automation tools to detect and report any unauthorized machinesdetectinghttps://man.archlinux.org/man/arp-scan.1.en
https://man.archlinux.org/man/arpwatch.8.en
## Automation
ToolsRisk mitigationDescriptionPurposeLinks
Ansible-PlaybooksGIR12
GIR21
GIR24
DOW6
DOW14
Leverage Ansible for automation of infrastructure deployment. Ensure consistency and reliability through version-controlled playbooksautomation of deploymenthttps://docs.ansible.com/ansible/latest/playbook_guide/playbooks_intro.html
HelmGIR12
GIR21
GIR24
DOW6
DOW14		The package manager for Kubernetes. Helm helps you manage Kubernetes applicationsautomation of deploymenthttps://helm.sh/
AWS-Launch TemplatesGIR12
GIR21
GIR24
DOW6
DOW14		Employ AWS Launch Templates for efficient and standardized instance provisioning. Push templates into a repository and ensure it is version-controlled. Leverage template parameters to customize instances as per specific requirements.automation of deploymenthttps://docs.aws.amazon.com/autoscaling/ec2/userguide/launch-templates.html
TerraformGIR12
GIR21
GIR24
DOW6
DOW14		Automate infrastructure on any cloudautomation of deploymenthttps://www.terraform.io/
## MFA on Servers
ToolsRisk mitigationDescriptionPurposeLinks
Google Authenticator PAM moduleGIR7
GIR14
KEC1
KEC7
KEC8
KEC9
KEC10
DOW16
DOW17
DOW18
SLS8
SLS9
SLS10		Implement MFA for all administrative access.secure your serverhttps://github.com/google/google-authenticator-libpam
YubiHSMGIR7
GIR14
KEC1
KEC7
KEC8
KEC9
KEC10
DOW16
DOW17
DOW18
SLS8
SLS9
SLS10		Hardware-based authentication methodssecure your serverhttps://developers.yubico.com/YubiHSM2/Usage_Guides/
SSH Key rotationGIR7
GIR14
KEC1
KEC7
KEC8
KEC9
KEC10
DOW16
DOW17
DOW18
SLS8
SLS9
SLS10		Use SSH Private Keys Instead of Passwordssecure your serverhttps://docs.aws.amazon.com/secretsmanager/
## Key Security
ToolsRisk mitigationDescriptionPurposeLinks
BitwardenGIR1
GIR6
GIR7
GIR22
KEC1
KEC2
KEC4		Store keys securely in a key vaultsecure your keys, access managementhttps://bitwarden.com/
VaultGIR1
GIR6
GIR7
GIR22
KEC1
KEC2
KEC4		Another key management store that seamlessly integrates your keys into your infrastructure, such as within a Kubernetes environmentsecure your keys, access managementhttps://www.vaultproject.io/
https://github.com/hashicorp/vault
## Firewall
ToolsRisk mitigationDescriptionPurposeLinks
UFWGIR9No direct SSH/RDP should be accessible from the internet.protect servershttps://wiki.archlinux.org/title/Uncomplicated_Firewall
AWS Security GroupsGIR9Control traffic to your AWS resources using security groups. Access should be enabled through an MFA-enabled VPN.protect servershttps://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-rule-characteristics
## IP-based DDoS Mitigation
ToolsRisk mitigationDescriptionPurposeLinks
fail2banDOW10Daemon to ban hosts that cause multiple authentication errorsDDoS protectionhttps://github.com/fail2ban/fail2ban
AWS ShieldDOW1
DOW3
DOW7
DOW10		All AWS customers benefit from the automatic protections of AWS Shield.DDoS protectionhttps://aws.amazon.com/shield/
Setup Nodeexporter for GrafanaGIR4Setup Grafana Alerts with thresholds for incoming and outgoing Traffic.Regularly monitor network traffic for anomalies.https://github.com/prometheus/node_exporter
## Engine API Being Filtered + Auth for Engine API
ToolsRisk mitigationDescriptionPurposeLinks
nginx, firewalls + your el/cl-configuration filesGIR9Filter access to the Engine API or disable unnecessary API's in your Beacon/Execution-layer nodes configuration files.*prevent api attackshttps://www.nginx.com/
\* Note \ By default, account unlocking is forbidden when HTTP or Websocket access is enabled (i.e. by passing --http or ws flag). This is because an attacker that manages to access the node via the externally-exposed HTTP/WS port can then control the unlocked account. It is possible to force account unlock by including the --allow-insecure-unlock flag but this is unsafe and not recommended except for expert users that completely understand how it can be used safely. This is not a hypothetical risk: there are bots that continually scan for http-enabled Ethereum nodes to attack ## VLAN Segmentation
ToolsRisk mitigationDescriptionPurposeLinks
mikrotikGIR10Group related servers and services into VLANs. Subnet and connect your network and cloud networks.Limit inter-VLAN routing to only necessary services with Site to Site IPsec (IKEv2) tunnelhttps://mikrotik.com/download, https://help.mikrotik.com/docs/display/ROS/IPsec#IPsec-SitetoSiteGREtunneloverIPsec(IKEv2)usingDNS
## OS Hardening
ToolsRisk mitigationDescriptionPurposeLinks
SELinuxGIR13
GIR14
GIR17
KEC7		Use hardening playbooks that automate many of these processes and activate SELinux.OS securityhttps://wiki.archlinux.org/title/Security, https://wiki.archlinux.org/title/SELinux
## EDR, SIEM, NDR
ToolsRisk mitigationDescriptionPurposeLinks
EDRGIR14EDR for endpoint-level visibilitysecure endpointmultiple provider
SIEMGIR15SIEM for comprehensive security event management and reporting.security events and reportinghttps://github.com/wazuh/wazuh
NDRGIR10NDR for network-level monitoring and response.monitor networkmultiple provider
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://duck-initiative.gitbook.io/d.u.c.k.-knowledge-base/mitigation-and-controls-library/collection-of-tools-scripts-and-templates.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.