Greets all,

I hope that you are all well. I was going to do this all in one post but it was going to look horrible. So, in this blog post I am going to explain how to build a zencash node from a fresh Ubuntu 17.04 install. In a later blog post I will detail the instructions to turn the base node into a securenode.

Although this tutorial is based on Ubuntu 17.04, it should work with previous version of the OS. I wont go into the details of configuring a VPS as there are many types and providers out there. However, I will advise that at a minimum you should have 1GB of RAM and provide sufficient swap space (>= 4 GB), I will provide instructions on how to increase your swap space from inside the OS and not the VPS provider console.

So lets get started.

PLEASE DO NOT RUN YOUR NODE AS ROOT

I cannot stress this enough, please review this blog post as to why running your node as root or with elevated privileges is a bad idea.

Pre-configuration

For ease of use we are going to edit our hosts file so we do not have to remember the IP address of your node. If you are setting your node up on a VPS, you can get your IP address from your VPS provider. This part is to be done on your local machine.

For nix based operating systems, you need to edit the /etc/hosts file and add at the bottom of that file your IP address and the hostname you want to call your node.

For Windows based systems, you need to edit c:\Windows\System32\Drivers\etc\hosts and add the IP address and the hostname you want to call your node.

Step 1 - Creating your standard user

User creation

Skip this section if you have already created a standard user.

This is one of the most important steps in the whole process of configuring your node. The standard use is what we will use to run all the daemons and software for use in your securenode.

You are most probably logged into your VPS via the console as the root user.
First we use the adduser while logged in as root through your VPS console. So lets go ahead and create a new user by running:
adduser <username> && adduser <username> sudo
You will need to change <username> to your chosen username.

Enter the information that is required.

The process you just compleded created a new user and then added the user to the sudo group. Addition to the sudo group is important as this is the group that gives our standard account access to the sudo command.

Once you have created the standard user you can log out from your VPS as root, and you should not use the root account again unless you absolutely need to.

Simplifying node login

Skip this section if using Windows as I do not know the Windows equivalent.
To simplify log in, we are going to copy your your authentication key-pair to the node. This part is optional but very useful. You can then exit and login again, and you will not have to type your password! Run the following command from your local machine:
ssh-copy-id <username>@<hostname>
then disconnect from the node using:
exit
then finally test the connection
ssh <username>@<hostname>
You should now be connected to your node and not require the password each time you connect.

If you get an error where you do not have a key-pair, you can run the following command and then execute the commands previous to this:
ssh-keygen -b 4096
This command will create the key-pair and store it on your local machine.

Disconnect from your node by entering exit in the console.

Step 2 - Securing your node

The second most important step in setting up your node is to secure it. Some say it is the most important, but for me, if you cant execute system level processes that will modify the system or access protected areas, it is the most important. This can be done by limiting the types of remote login permissible, adding a firewall, and configuring tools to recognise brute force attempts to compromise your node and ban them.

Lets go ahead and login to your node using ssh, or you can use putty or some other ssh application.

ssh <username>@<hostname>

If you added the key-pair you should not be prompted for a password and you will be logged in using your standard user account.

Securing sshd

First we are going to remove the ability to log in remotely with the root user using ssh to your node. This can be done by editing /etc/ssh/sshd_config. You can do this with your favourite editor, but I will be using nano, so my command is:
sudo nano /etc/ssh/sshd_config

Scroll to the the authentication section. You will see something similar to the next image.
Screen-Shot-2017-10-26-at-9.24.52-am

Modify the line for #PermitRootLogin prohibit-password to PermitRootLogin no. You should have something similar to the next image.
Screen-Shot-2017-10-26-at-9.27.01-am

Optional: To secure the sshd even further, and if you previously added your key-pair to the server, you can change the line #PubkeyAuthentication yes to PubkeyAuthentication yes

Save your file, if you are using nano press control+o together, and then control+x to exit.

Now restart your sshd service to accept the new configuration. This is done by running:
sudo systemctl restart sshd.service

Add a firewall

Next we are going to add a firewall to the node. First lets check to see if the firewall is running:
sudo ufw status
The status should be inactive.
Lets now add some rules.
sudo ufw default allow outgoing
sudo ufw default deny incoming
sudo ufw allow ssh/tcp
sudo ufw limit ssh/tcp
sudo ufw allow http/tcp
sudo ufw allow https/tcp
sudo ufw allow 9033/tcp and/or sudo ufw allow 19033/tcp (for testnet)
sudo ufw logging on
sudo ufw enable

After running the previous commands you will have configured the firewall to allow outgoing connections by default, deny incoming connections by default, allow and limit ssh, allow http, https, and ports 9033 and/or 19033 (if you want testnet). Logging is also switched on, and finally the firewall is enabled.

When you run sudo ufw status now you should have Status: active.

Basic intrusion detection using Fail2Ban

This will stop various people on the Internet from running non-stop dictionary attacks against your system. Well, it will slow them down. After 10 failed login attempts from a single IP address, it blocks that IP address from trying to login again for 10 minutes. Better than no protection, anyway.

Some people may think this is redundant since we have limited the sshd connections to PublickeyAuthentication, if the key-pairs were added to the server, but I think it is still a good idea to use.

To install Fail2Ban you run the following:
sudo apt -y install fail2ban
Now lets enable the fail2ban service:
sudo systemctl enable fail2ban
And finally start the service:
sudo systemctl start fail2ban

If you are interested in seeing what fail2ban is actually doing, watch your fail2ban log for a little while. That’s the great thing about servers, they write things down when things are going well, and especially when things are going badly, In Linux, all those logs are readable. Here is one way to look at the fail2ban log. Run the command:
sudo tail -f /var/log/fail2ban.log
Type control-c to exit the tail application.

Step 3 Adding more swap

A lot of VPS providers limit the amount of swap you can use. However, there is a work around to allow you to add more swap. This can be done by running the following commands:
sudo fallocate -l 4G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile

Next you need to edit /etc/sysctl.conf using your favourite editor.
sudo nano /etc/sysctl.conf
and add the following line to the bottom of the file:
vm.swappiness=10

Next we need to edit /etc/fstab using your favourite editor:
sudo nano /etc/fstab
and add the following to the bottom of that file:
/swapfile none swap sw 0 0

Reboot your node using sudo reboot and when it restarts you should have the additional swap.

Step 4 - Installing from APT repo or Building the zencash software from source

We are now getting to meat of build, and the main reason why everyone is here, am I right? So lets go ahead and start building the zencash software stack.

Option 1 - Installing from APT repo

This method is faster than building from source. To install using the APT repo please follow these steps:
The first command will update your APT repositories:
sudo apt-get update

This next command will install the required pre-requisites:
sudo apt-get install apt-transport-https lsb-release

Now we need to add the download path for the zencash APT repo to the APT sources:
echo 'deb https://zencashofficial.github.io/repo/ '$(lsb_release -cs)' main' | sudo tee --append /etc/apt/sources.list.d/zen.list

We now get the gpg keys to verify the files from the APT repo:
gpg --keyserver ha.pool.sks-keyservers.net --recv 219F55740BBF7A1CE368BA45FB7053CE4991B669
Next we install the key to the APT cache:
gpg --export 219F55740BBF7A1CE368BA45FB7053CE4991B669 | sudo apt-key add -

Now we update teh APT repo again that will include the zencash repository
sudo apt-get update

Install the zen software:
sudo apt-get install zen # to install Zen

zen-fetch-params

And then run the zend daemon to create the hidden ~/.zen directory and necessary files.
zend
It will present the following message

WARNING:
Automatically copying the default config file to ~/.zen/zen.conf.
This is a potential risk, as zend might accidentally compromise
your privacy if there is a default option that you need to change!

       Please restart zend to continue.
       You will not see this warning again.

Option 1 setup completed - Please proceed to the "Next steps after Option 1 or Option 2 section"

Option 2 - Building from source

There are some pre-requisites that are needed for the zencash software to build correctly, these are installed by running:
sudo apt -y install build-essential pkg-config libc6-dev m4 g++-multilib autoconf libtool ncurses-dev unzip git python zlib1g-dev wget bsdmainutils automake

Lets create a directory, navigate to it, and clone the Zen repository
mkdir zencash - This creates a new directory
cd zencash - this moves us into the new directory
git clone https://github.com/ZencashOfficial/zen.git - this grabs the source for the zencash software.

You should see something similar to this:
Screen-Shot-2017-10-26-at-10.14.14-am

Next we head into the zen directory by running:
cd zen
and execute the following to begin the compilation of the zencash software:
./zcutil/build.sh -j$(nproc)
Note: This will take some time.

Once complete you should see something similar to this:
Screen-Shot-2017-10-26-at-10.33.34-am

Next, the Zen parameters need to be downloaded. Enter this command:
./zcutil/fetch-params.sh
Once complete you should see something similar to this:
Screen-Shot-2017-10-26-at-10.38.01-am

After that is complete, we now copy the files across to the /usr/bin directory:
sudo cp src/zend /usr/bin
and
sudo cp src/zen-cli /usr/bin

run the zen application.
zend

On first execution you may receive the following error:
Screen-Shot-2017-10-26-at-10.39.44-am

Next steps after Option 1 or Option 2

Lets now edit that default config file. This can be done by using your favourite editor and opening ~/.zen/zen.conf Please take notice of the . in the path to the zen.conf. This indicates a hidden directory.

Again using nano for me, my command is:
nano ~/.zen/zen.conf

In the zen.conf add the following, and please change the values for rpcuser= and rpcpassword=:

rpcuser=Some_random_user
rpcpassword=5up3rHardP@55word
rpcport=18231
rpcallowip=127.0.0.1
server=1
daemon=1
listen=1
txindex=1
logtimestamps=1

I have opted to add the lines at the bottom of the zen.conf just for convenience. You should have something similar to this:
Screen-Shot-2017-10-26-at-10.49.09-am

Now run:
zend
zen-cli getinfo

You will have an output similar to this:
Screen-Shot-2017-10-26-at-10.51.53-am

To have your node automatically start your zend daemon after reboot please see here

You should now have a basic zencash node running.

Part 2 can be found here

If you find this blog useful, and if you would like to keep it up and running, donations are always appreciated to any of the following addresses:
ZEN: znYjefe2QBfm9HEWfAtpwiBHMHTXwePs48C
ZEC: t1YZxjMEmPPLx1kFVp2zcWRBC4zrmRc71eZ
BTC: 14D1emX2xDeh3zA2myrhCmaWf1ZKAn1QzS
ETH: Ae491f4493F8d051ac23cE0d4aa2B524504eCb84