Collection of Tools, Scripts & Templates

Ethereum-Specific

ToolsRisk mitigationDescriptionPurposeLinks

Doppelbuster

SLS1 SLS14 SLS15

This tool operates independently from the Ethereum validator client, providing an extra layer of protection against double signing.

prevent double signing

https://github.com/SimplyStaking/DoppelBuster

ethereum-validators-monitoring

GIR4

Ethereum validators monitoring bot aimed to keep track of the validators performance

monitoring + alerts

https://github.com/lidofinance/ethereum-validators-monitoring

eth-block-proposal-monitor

GIR4

Monitor block proposals and rewards of validators

monitoring + alerts

https://github.com/SimplyStaking/eth-block-proposal-monitor

esd

GIR4

Watches for slashing events included on the Ethereum beacon chain and runs a script when found

monitoring slashing

https://github.com/attestantio/esd

vouch + dirk

SLS1 DOW1 DOW2 DOW6 DOW7

Splits your validator keys and replaces the standard validator client software.

multi-node validator client

https://github.com/attestantio/vouch https://github.com/attestantio/dirk

web3signer

DOW1 DOW2 DOW6 DOW7

Can sign on multiple platforms using private keys stored in an external vault, or encrypted on a disk

validator client

https://github.com/Consensys/web3signer

Monitoring

ToolsRisk mitigationDescriptionPurposeLinks

Grafana

GIR4 DOW1 DOW2 DOW3 DOW7 DOW15

Observability and data visualization platform

monitoring + alerts

https://grafana.com/docs/https://github.com/grafana/grafana

Prometheus

GIR4 DOW1 DOW2 DOW3 DOW7 DOW15

Monitoring system and time series database.

monitoring + alerts

https://prometheus.io/docs/introduction/overview/https://github.com/prometheus/prometheus

Inventory tracking

ToolsRisk mitigationDescriptionPurposeLinks

Internal Wiki

KEC9

Keep an updated inventory list, including the server type, purpose, and responsible team.

tracking

https://www.jetbrains.com/help/youtrack/server/knowledge-base.html

arp-scan, arpwatch

KEC4 KEC7 SLS12 SLS13

Use automation tools to detect and report any unauthorized machines

detecting

https://man.archlinux.org/man/arp-scan.1.en https://man.archlinux.org/man/arpwatch.8.en

Automation

ToolsRisk mitigationDescriptionPurposeLinks

Ansible-Playbooks

GIR12 GIR21 GIR24 DOW6 DOW14

Leverage Ansible for automation of infrastructure deployment. Ensure consistency and reliability through version-controlled playbooks

automation of deployment

https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_intro.html

Helm

GIR12 GIR21 GIR24 DOW6 DOW14

The package manager for Kubernetes. Helm helps you manage Kubernetes applications

automation of deployment

https://helm.sh/

AWS-Launch Templates

GIR12 GIR21 GIR24 DOW6 DOW14

Employ AWS Launch Templates for efficient and standardized instance provisioning. Push templates into a repository and ensure it is version-controlled. Leverage template parameters to customize instances as per specific requirements.

automation of deployment

https://docs.aws.amazon.com/autoscaling/ec2/userguide/launch-templates.html

Terraform

GIR12 GIR21 GIR24 DOW6 DOW14

Automate infrastructure on any cloud

automation of deployment

https://www.terraform.io/

MFA on Servers

ToolsRisk mitigationDescriptionPurposeLinks

Google Authenticator PAM module

GIR7 GIR14 KEC1 KEC7 KEC8 KEC9 KEC10 DOW16 DOW17 DOW18 SLS8 SLS9 SLS10

Implement MFA for all administrative access.

secure your server

https://github.com/google/google-authenticator-libpam

YubiHSM

GIR7 GIR14 KEC1 KEC7 KEC8 KEC9 KEC10 DOW16 DOW17 DOW18 SLS8 SLS9 SLS10

Hardware-based authentication methods

secure your server

https://developers.yubico.com/YubiHSM2/Usage_Guides/

SSH Key rotation

GIR7 GIR14 KEC1 KEC7 KEC8 KEC9 KEC10 DOW16 DOW17 DOW18 SLS8 SLS9 SLS10

Use SSH Private Keys Instead of Passwords

secure your server

https://docs.aws.amazon.com/secretsmanager/

Key Security

ToolsRisk mitigationDescriptionPurposeLinks

Bitwarden

GIR1 GIR6 GIR7 GIR22 KEC1 KEC2 KEC4

Store keys securely in a key vault

secure your keys, access management

https://bitwarden.com/

Vault

GIR1 GIR6 GIR7 GIR22 KEC1 KEC2 KEC4

Another key management store that seamlessly integrates your keys into your infrastructure, such as within a Kubernetes environment

secure your keys, access management

https://www.vaultproject.io/ https://github.com/hashicorp/vault

Firewall

ToolsRisk mitigationDescriptionPurposeLinks

UFW

GIR9

No direct SSH/RDP should be accessible from the internet.

protect servers

https://wiki.archlinux.org/title/Uncomplicated_Firewall

AWS Security Groups

GIR9

Control traffic to your AWS resources using security groups. Access should be enabled through an MFA-enabled VPN.

protect servers

https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-rule-characteristics

IP-based DDoS Mitigation

ToolsRisk mitigationDescriptionPurposeLinks

fail2ban

DOW10

Daemon to ban hosts that cause multiple authentication errors

DDoS protection

https://github.com/fail2ban/fail2ban

AWS Shield

DOW1 DOW3 DOW7 DOW10

All AWS customers benefit from the automatic protections of AWS Shield.

DDoS protection

https://aws.amazon.com/shield/

Setup Nodeexporter for Grafana

GIR4

Setup Grafana Alerts with thresholds for incoming and outgoing Traffic.

Regularly monitor network traffic for anomalies.

https://github.com/prometheus/node_exporter

Engine API Being Filtered + Auth for Engine API

ToolsRisk mitigationDescriptionPurposeLinks

nginx, firewalls + your el/cl-configuration files

GIR9

Filter access to the Engine API or disable unnecessary API's in your Beacon/Execution-layer nodes configuration files.*

prevent api attacks

https://www.nginx.com/

* Note By default, account unlocking is forbidden when HTTP or Websocket access is enabled (i.e. by passing --http or ws flag). This is because an attacker that manages to access the node via the externally-exposed HTTP/WS port can then control the unlocked account. It is possible to force account unlock by including the --allow-insecure-unlock flag but this is unsafe and not recommended except for expert users that completely understand how it can be used safely. This is not a hypothetical risk: there are bots that continually scan for http-enabled Ethereum nodes to attack

VLAN Segmentation

ToolsRisk mitigationDescriptionPurposeLinks

mikrotik

GIR10

Group related servers and services into VLANs. Subnet and connect your network and cloud networks.

Limit inter-VLAN routing to only necessary services with Site to Site IPsec (IKEv2) tunnel

https://mikrotik.com/download, https://help.mikrotik.com/docs/display/ROS/IPsec#IPsec-SitetoSiteGREtunneloverIPsec(IKEv2)usingDNS

OS Hardening

ToolsRisk mitigationDescriptionPurposeLinks

SELinux

GIR13 GIR14 GIR17 KEC7

Use hardening playbooks that automate many of these processes and activate SELinux.

OS security

https://wiki.archlinux.org/title/Security, https://wiki.archlinux.org/title/SELinux

EDR, SIEM, NDR

ToolsRisk mitigationDescriptionPurposeLinks

EDR

GIR14

EDR for endpoint-level visibility

secure endpoint

multiple provider

SIEM

GIR15

SIEM for comprehensive security event management and reporting.

security events and reporting

https://github.com/wazuh/wazuh

NDR

GIR10

NDR for network-level monitoring and response.

monitor network

multiple provider

PreviousImplementation GuidelinesNextCommunication Toolkit

Last updated