Collection of Tools, Scripts & Templates

Ethereum-Specific

Tools
Risk mitigation
Description
Purpose
Links

Doppelbuster

SLS1 SLS14 SLS15

This tool operates independently from the Ethereum validator client, providing an extra layer of protection against double signing.

prevent double signing

ethereum-validators-monitoring

GIR4

Ethereum validators monitoring bot aimed to keep track of the validators performance

monitoring + alerts

eth-block-proposal-monitor

GIR4

Monitor block proposals and rewards of validators

monitoring + alerts

esd

GIR4

Watches for slashing events included on the Ethereum beacon chain and runs a script when found

monitoring slashing

vouch + dirk

SLS1 DOW1 DOW2 DOW6 DOW7

Splits your validator keys and replaces the standard validator client software.

multi-node validator client

web3signer

SLS1 DOW1 DOW2 DOW6 DOW7

Can sign on multiple platforms using private keys stored in an external vault, or encrypted on a disk

validator client

Monitoring

Tools
Risk mitigation
Description
Purpose
Links

Grafana

GIR4 DOW1 DOW2 DOW3 DOW7 DOW15

Observability and data visualization platform

monitoring + alerts

Prometheus

GIR4 DOW1 DOW2 DOW3 DOW7 DOW15

Monitoring system and time series database.

monitoring + alerts

Inventory tracking

Tools
Risk mitigation
Description
Purpose
Links

Internal Wiki

KEC9

Keep an updated inventory list, including the server type, purpose, and responsible team.

tracking

arp-scan, arpwatch

KEC4 KEC7 SLS12 SLS13

Use automation tools to detect and report any unauthorized machines

detecting

Automation

Tools
Risk mitigation
Description
Purpose
Links

Ansible-Playbooks

GIR12 GIR21 GIR24 DOW6 DOW14

Leverage Ansible for automation of infrastructure deployment. Ensure consistency and reliability through version-controlled playbooks

automation of deployment

Helm

GIR12 GIR21 GIR24 DOW6 DOW14

The package manager for Kubernetes. Helm helps you manage Kubernetes applications

automation of deployment

AWS-Launch Templates

GIR12 GIR21 GIR24 DOW6 DOW14

Employ AWS Launch Templates for efficient and standardized instance provisioning. Push templates into a repository and ensure it is version-controlled. Leverage template parameters to customize instances as per specific requirements.

automation of deployment

Terraform

GIR12 GIR21 GIR24 DOW6 DOW14

Automate infrastructure on any cloud

automation of deployment

MFA on Servers

Tools
Risk mitigation
Description
Purpose
Links

Google Authenticator PAM module

GIR7 GIR14 KEC1 KEC7 KEC8 KEC9 KEC10 DOW16 DOW17 DOW18 SLS8 SLS9 SLS10

Implement MFA for all administrative access.

secure your server

YubiHSM

GIR7 GIR14 KEC1 KEC7 KEC8 KEC9 KEC10 DOW16 DOW17 DOW18 SLS8 SLS9 SLS10

Hardware-based authentication methods

secure your server

SSH Key rotation

GIR7 GIR14 KEC1 KEC7 KEC8 KEC9 KEC10 DOW16 DOW17 DOW18 SLS8 SLS9 SLS10

Use SSH Private Keys Instead of Passwords

secure your server

Key Security

Tools
Risk mitigation
Description
Purpose
Links

Bitwarden

GIR1 GIR6 GIR7 GIR22 KEC1 KEC2 KEC4

Store keys securely in a key vault

secure your keys, access management

Vault

GIR1 GIR6 GIR7 GIR22 KEC1 KEC2 KEC4

Another key management store that seamlessly integrates your keys into your infrastructure, such as within a Kubernetes environment

secure your keys, access management

Firewall

Tools
Risk mitigation
Description
Purpose
Links

UFW

GIR9

No direct SSH/RDP should be accessible from the internet.

protect servers

AWS Security Groups

GIR9

Control traffic to your AWS resources using security groups. Access should be enabled through an MFA-enabled VPN.

protect servers

IP-based DDoS Mitigation

Tools
Risk mitigation
Description
Purpose
Links

fail2ban

DOW10

Daemon to ban hosts that cause multiple authentication errors

DDoS protection

AWS Shield

DOW1 DOW3 DOW7 DOW10

All AWS customers benefit from the automatic protections of AWS Shield.

DDoS protection

Setup Nodeexporter for Grafana

GIR4

Setup Grafana Alerts with thresholds for incoming and outgoing Traffic.

Regularly monitor network traffic for anomalies.

Engine API Being Filtered + Auth for Engine API

Tools
Risk mitigation
Description
Purpose
Links

nginx, firewalls + your el/cl-configuration files

GIR9

Filter access to the Engine API or disable unnecessary API's in your Beacon/Execution-layer nodes configuration files.*

prevent api attacks

* Note By default, account unlocking is forbidden when HTTP or Websocket access is enabled (i.e. by passing --http or ws flag). This is because an attacker that manages to access the node via the externally-exposed HTTP/WS port can then control the unlocked account. It is possible to force account unlock by including the --allow-insecure-unlock flag but this is unsafe and not recommended except for expert users that completely understand how it can be used safely. This is not a hypothetical risk: there are bots that continually scan for http-enabled Ethereum nodes to attack

VLAN Segmentation

Tools
Risk mitigation
Description
Purpose
Links

mikrotik

GIR10

Group related servers and services into VLANs. Subnet and connect your network and cloud networks.

Limit inter-VLAN routing to only necessary services with Site to Site IPsec (IKEv2) tunnel

OS Hardening

Tools
Risk mitigation
Description
Purpose
Links

SELinux

GIR13 GIR14 GIR17 KEC7

Use hardening playbooks that automate many of these processes and activate SELinux.

OS security

EDR, SIEM, NDR

Tools
Risk mitigation
Description
Purpose
Links

EDR

GIR14

EDR for endpoint-level visibility

secure endpoint

multiple provider

SIEM

GIR15

SIEM for comprehensive security event management and reporting.

security events and reporting

NDR

GIR10

NDR for network-level monitoring and response.

monitor network

multiple provider

Last updated