Collection of Tools, Scripts & Templates
Ethereum-Specific
Tools | Risk mitigation | Description | Purpose | Links |
---|---|---|---|---|
Doppelbuster | SLS1 SLS14 SLS15 | This tool operates independently from the Ethereum validator client, providing an extra layer of protection against double signing. | prevent double signing | |
ethereum-validators-monitoring | GIR4 | Ethereum validators monitoring bot aimed to keep track of the validators performance | monitoring + alerts | |
eth-block-proposal-monitor | GIR4 | Monitor block proposals and rewards of validators | monitoring + alerts | |
esd | GIR4 | Watches for slashing events included on the Ethereum beacon chain and runs a script when found | monitoring slashing | |
vouch + dirk | SLS1 DOW1 DOW2 DOW6 DOW7 | Splits your validator keys and replaces the standard validator client software. | multi-node validator client | |
web3signer | DOW1 DOW2 DOW6 DOW7 | Can sign on multiple platforms using private keys stored in an external vault, or encrypted on a disk | validator client |
Monitoring
Tools | Risk mitigation | Description | Purpose | Links |
---|---|---|---|---|
Grafana | GIR4 DOW1 DOW2 DOW3 DOW7 DOW15 | Observability and data visualization platform | monitoring + alerts | |
Prometheus | GIR4 DOW1 DOW2 DOW3 DOW7 DOW15 | Monitoring system and time series database. | monitoring + alerts |
Inventory tracking
Tools | Risk mitigation | Description | Purpose | Links |
---|---|---|---|---|
Internal Wiki | KEC9 | Keep an updated inventory list, including the server type, purpose, and responsible team. | tracking | |
arp-scan, arpwatch | KEC4 KEC7 SLS12 SLS13 | Use automation tools to detect and report any unauthorized machines | detecting |
Automation
Tools | Risk mitigation | Description | Purpose | Links |
---|---|---|---|---|
Ansible-Playbooks | GIR12 GIR21 GIR24 DOW6 DOW14 | Leverage Ansible for automation of infrastructure deployment. Ensure consistency and reliability through version-controlled playbooks | automation of deployment | |
Helm | GIR12 GIR21 GIR24 DOW6 DOW14 | The package manager for Kubernetes. Helm helps you manage Kubernetes applications | automation of deployment | |
AWS-Launch Templates | GIR12 GIR21 GIR24 DOW6 DOW14 | Employ AWS Launch Templates for efficient and standardized instance provisioning. Push templates into a repository and ensure it is version-controlled. Leverage template parameters to customize instances as per specific requirements. | automation of deployment | |
Terraform | GIR12 GIR21 GIR24 DOW6 DOW14 | Automate infrastructure on any cloud | automation of deployment |
MFA on Servers
Tools | Risk mitigation | Description | Purpose | Links |
---|---|---|---|---|
Google Authenticator PAM module | GIR7 GIR14 KEC1 KEC7 KEC8 KEC9 KEC10 DOW16 DOW17 DOW18 SLS8 SLS9 SLS10 | Implement MFA for all administrative access. | secure your server | |
YubiHSM | GIR7 GIR14 KEC1 KEC7 KEC8 KEC9 KEC10 DOW16 DOW17 DOW18 SLS8 SLS9 SLS10 | Hardware-based authentication methods | secure your server | |
SSH Key rotation | GIR7 GIR14 KEC1 KEC7 KEC8 KEC9 KEC10 DOW16 DOW17 DOW18 SLS8 SLS9 SLS10 | Use SSH Private Keys Instead of Passwords | secure your server |
Key Security
Tools | Risk mitigation | Description | Purpose | Links |
---|---|---|---|---|
Bitwarden | GIR1 GIR6 GIR7 GIR22 KEC1 KEC2 KEC4 | Store keys securely in a key vault | secure your keys, access management | |
Vault | GIR1 GIR6 GIR7 GIR22 KEC1 KEC2 KEC4 | Another key management store that seamlessly integrates your keys into your infrastructure, such as within a Kubernetes environment | secure your keys, access management |
Firewall
Tools | Risk mitigation | Description | Purpose | Links |
---|---|---|---|---|
UFW | GIR9 | No direct SSH/RDP should be accessible from the internet. | protect servers | |
AWS Security Groups | GIR9 | Control traffic to your AWS resources using security groups. Access should be enabled through an MFA-enabled VPN. | protect servers |
IP-based DDoS Mitigation
Tools | Risk mitigation | Description | Purpose | Links |
---|---|---|---|---|
fail2ban | DOW10 | Daemon to ban hosts that cause multiple authentication errors | DDoS protection | |
AWS Shield | DOW1 DOW3 DOW7 DOW10 | All AWS customers benefit from the automatic protections of AWS Shield. | DDoS protection | |
Setup Nodeexporter for Grafana | GIR4 | Setup Grafana Alerts with thresholds for incoming and outgoing Traffic. | Regularly monitor network traffic for anomalies. |
Engine API Being Filtered + Auth for Engine API
Tools | Risk mitigation | Description | Purpose | Links |
---|---|---|---|---|
nginx, firewalls + your el/cl-configuration files | GIR9 | Filter access to the Engine API or disable unnecessary API's in your Beacon/Execution-layer nodes configuration files.* | prevent api attacks |
* Note By default, account unlocking is forbidden when HTTP or Websocket access is enabled (i.e. by passing --http or ws flag). This is because an attacker that manages to access the node via the externally-exposed HTTP/WS port can then control the unlocked account. It is possible to force account unlock by including the --allow-insecure-unlock flag but this is unsafe and not recommended except for expert users that completely understand how it can be used safely. This is not a hypothetical risk: there are bots that continually scan for http-enabled Ethereum nodes to attack
VLAN Segmentation
Tools | Risk mitigation | Description | Purpose | Links |
---|---|---|---|---|
mikrotik | GIR10 | Group related servers and services into VLANs. Subnet and connect your network and cloud networks. | Limit inter-VLAN routing to only necessary services with Site to Site IPsec (IKEv2) tunnel |
OS Hardening
Tools | Risk mitigation | Description | Purpose | Links |
---|---|---|---|---|
SELinux | GIR13 GIR14 GIR17 KEC7 | Use hardening playbooks that automate many of these processes and activate SELinux. | OS security |
EDR, SIEM, NDR
Tools | Risk mitigation | Description | Purpose | Links |
---|---|---|---|---|
EDR | GIR14 | EDR for endpoint-level visibility | secure endpoint | multiple provider |
SIEM | GIR15 | SIEM for comprehensive security event management and reporting. | security events and reporting | |
NDR | GIR10 | NDR for network-level monitoring and response. | monitor network | multiple provider |
Last updated