🐻⛓️ Berachain Docs

Appearance

Node Security Practices

Manage Digital Keys With HSM

Key management is mission-critical for validators. If an attacker gains access to a validator's private key, it puts the validator's entire delegated stake at risk. Hardware security modules are an important strategy for mitigating this risk.

Consider implementing this key-management method by Iqulusion.

Horcrux is a multi-party-computation (MPC) signing service designed for CometBFT (formerly known as Tendermint) nodes. It helps elevate the security and availability of your validator's infrastructure.

Cluster of signer nodes instead of a remote signer enables high availability (HA) for block signing through fault tolerance and enhances the security of your validator private key by distributing it among multiple private signer nodes using threshold Ed25519 signatures.

Horcrux overall helps in achieving heightened security and availability without compromising block sign performance. To learn how to upgrade your validator infrastructure with Horcrux please check out the official documentation.

Defend Against DDoS Attacks

Validators are responsible for ensuring that the network can defend against denial-of-service (DDoS) attacks.

Validators can mitigate these attacks by carefully structuring their network topology in a sentry node architecture.

Validator nodes should only connect to full nodes that they trust. These nodes can be run by the same validator or other validators that they know. A validator node will typically run in a data center and most data centers provide direct links to major cloud providers. A validator can use these links to connect to sentry nodes in the cloud. This shifts the burden of denial-of-service from the validator's node directly to its sentry nodes. This may require new sentry nodes to be spun up or activated to mitigate attacks on existing ones.

Sentry nodes can be quickly spun up or used to change IP addresses. Because links to the sentry nodes are in private IP space, an internet based attack cannot directly disturb them. This will ensure a validator's block proposals and votes always make it to the rest of the network.

Learn more about sentry-node architecture.

  1. For validator nodes, edit the config.toml:
toml
# Comma separated list of nodes to keep persistent connections to.
# Do not add private peers to this list if you don't want them advertised.
persistent_peers = "comma separated list of sentry node addresses"

# Set to true to enable the peer-exchange reactor.
pex = false
# Comma separated list of nodes to keep persistent connections to.
# Do not add private peers to this list if you don't want them advertised.
persistent_peers = "comma separated list of sentry node addresses"

# Set to true to enable the peer-exchange reactor.
pex = false
  1. For sentry nodes, edit the config.toml:
toml
# Comma separated list of nodes to keep persistent connections to.
# Do not add private peers to this list if you don't want them advertised.
persistent_peers = "validator node address"

# Comma separated list of peer IDs to keep private (will not be gossiped to other peers).
private_peer_ids = "nodeid of the validator"
# Comma separated list of nodes to keep persistent connections to.
# Do not add private peers to this list if you don't want them advertised.
persistent_peers = "validator node address"

# Comma separated list of peer IDs to keep private (will not be gossiped to other peers).
private_peer_ids = "nodeid of the validator"

TIP

A node address has the following format: nodeid@ip:port. You can get the nodeid by running berad comet show-node-id. The default port is 26656.