Collection of Tools, Scripts & Templates
Ethereum-Specific
Doppelbuster
SLS1 SLS14 SLS15
This tool operates independently from the Ethereum validator client, providing an extra layer of protection against double signing.
prevent double signing
ethereum-validators-monitoring
GIR4
Ethereum validators monitoring bot aimed to keep track of the validators performance
monitoring + alerts
eth-block-proposal-monitor
GIR4
Monitor block proposals and rewards of validators
monitoring + alerts
esd
GIR4
Watches for slashing events included on the Ethereum beacon chain and runs a script when found
monitoring slashing
vouch + dirk
SLS1 DOW1 DOW2 DOW6 DOW7
Splits your validator keys and replaces the standard validator client software.
multi-node validator client
web3signer
SLS1 DOW1 DOW2 DOW6 DOW7
Can sign on multiple platforms using private keys stored in an external vault, or encrypted on a disk
validator client
Monitoring
Grafana
GIR4 DOW1 DOW2 DOW3 DOW7 DOW15
Observability and data visualization platform
monitoring + alerts
Prometheus
GIR4 DOW1 DOW2 DOW3 DOW7 DOW15
Monitoring system and time series database.
monitoring + alerts
Inventory tracking
Internal Wiki
KEC9
Keep an updated inventory list, including the server type, purpose, and responsible team.
tracking
arp-scan, arpwatch
KEC4 KEC7 SLS12 SLS13
Use automation tools to detect and report any unauthorized machines
detecting
Automation
Ansible-Playbooks
GIR12 GIR21 GIR24 DOW6 DOW14
Leverage Ansible for automation of infrastructure deployment. Ensure consistency and reliability through version-controlled playbooks
automation of deployment
Helm
GIR12 GIR21 GIR24 DOW6 DOW14
The package manager for Kubernetes. Helm helps you manage Kubernetes applications
automation of deployment
AWS-Launch Templates
GIR12 GIR21 GIR24 DOW6 DOW14
Employ AWS Launch Templates for efficient and standardized instance provisioning. Push templates into a repository and ensure it is version-controlled. Leverage template parameters to customize instances as per specific requirements.
automation of deployment
Terraform
GIR12 GIR21 GIR24 DOW6 DOW14
Automate infrastructure on any cloud
automation of deployment
MFA on Servers
Google Authenticator PAM module
GIR7 GIR14 KEC1 KEC7 KEC8 KEC9 KEC10 DOW16 DOW17 DOW18 SLS8 SLS9 SLS10
Implement MFA for all administrative access.
secure your server
YubiHSM
GIR7 GIR14 KEC1 KEC7 KEC8 KEC9 KEC10 DOW16 DOW17 DOW18 SLS8 SLS9 SLS10
Hardware-based authentication methods
secure your server
SSH Key rotation
GIR7 GIR14 KEC1 KEC7 KEC8 KEC9 KEC10 DOW16 DOW17 DOW18 SLS8 SLS9 SLS10
Use SSH Private Keys Instead of Passwords
secure your server
Key Security
Bitwarden
GIR1 GIR6 GIR7 GIR22 KEC1 KEC2 KEC4
Store keys securely in a key vault
secure your keys, access management
Vault
GIR1 GIR6 GIR7 GIR22 KEC1 KEC2 KEC4
Another key management store that seamlessly integrates your keys into your infrastructure, such as within a Kubernetes environment
secure your keys, access management
Firewall
UFW
GIR9
No direct SSH/RDP should be accessible from the internet.
protect servers
AWS Security Groups
GIR9
Control traffic to your AWS resources using security groups. Access should be enabled through an MFA-enabled VPN.
protect servers
IP-based DDoS Mitigation
fail2ban
DOW10
Daemon to ban hosts that cause multiple authentication errors
DDoS protection
AWS Shield
DOW1 DOW3 DOW7 DOW10
All AWS customers benefit from the automatic protections of AWS Shield.
DDoS protection
Setup Nodeexporter for Grafana
GIR4
Setup Grafana Alerts with thresholds for incoming and outgoing Traffic.
Regularly monitor network traffic for anomalies.
Engine API Being Filtered + Auth for Engine API
nginx, firewalls + your el/cl-configuration files
GIR9
Filter access to the Engine API or disable unnecessary API's in your Beacon/Execution-layer nodes configuration files.*
prevent api attacks
* Note By default, account unlocking is forbidden when HTTP or Websocket access is enabled (i.e. by passing --http or ws flag). This is because an attacker that manages to access the node via the externally-exposed HTTP/WS port can then control the unlocked account. It is possible to force account unlock by including the --allow-insecure-unlock flag but this is unsafe and not recommended except for expert users that completely understand how it can be used safely. This is not a hypothetical risk: there are bots that continually scan for http-enabled Ethereum nodes to attack
VLAN Segmentation
mikrotik
GIR10
Group related servers and services into VLANs. Subnet and connect your network and cloud networks.
Limit inter-VLAN routing to only necessary services with Site to Site IPsec (IKEv2) tunnel
OS Hardening
SELinux
GIR13 GIR14 GIR17 KEC7
Use hardening playbooks that automate many of these processes and activate SELinux.
OS security
EDR, SIEM, NDR
EDR
GIR14
EDR for endpoint-level visibility
secure endpoint
multiple provider
SIEM
GIR15
SIEM for comprehensive security event management and reporting.
security events and reporting
NDR
GIR10
NDR for network-level monitoring and response.
monitor network
multiple provider
Last updated