I would like to thank Pierre for putting this guide together. It is very well written and easy to follow.

These instructions are for creating a ZEN securenode with a minimal Debian install.

By minimizing the OS, we are able to meet the 300 sec challenge and still use a $5/mo VPS with 1 CPU and 1GB RAM. Only the services that are absolutely necessary are installed using this method.

This guide is based on the excellent work from: @hairetikos, @blockoperations, and myself.

Step 1: Create a VPS on VULTR per the instructions from @hairetikos

This guide was adapted from @hairetikos' guide available here.

The only different thing is that rsyslog is not removed. It is important to maintain good logging capabilities. So instead of the line:

apt purge rsyslog systemd* -y && apt autoremove --purge -y && reboot

This guide uses:

apt purge systemd* -y && apt autoremove --purge -y && reboot

Step 2: Fortify the node and communications

  1. Install sudo:
    apt –y install sudo
  2. During step 1, you should have created a user account (as opposed to root). For this tutorial, we will call that account “zenmaster”. Add the zenmaster account to sudo:
    vi /etc/group
    add zenmaster to sudo group
    sudo:x:27:zenmaster
  3. Make sure your VM has the correct name:
    cat /etc/hostname
  4. Edit your host file to make sure you have the correct IP address
    vi /etc/hosts
    pic1

Make sure you have your hostname (znode-pie2) and your FQDN (Fully Qualified Domain Name): znode-pie2.pnhl.trade next to the correct IP address assigned by VULTR. If you don’t have this done correctly, you will end up having a lot of problems getting your TLS certificate later on.

  1. Change default sshd port:
    vi /etc/ssh/sshd_config
    Port 2221
    You can pick any high port you want ( > 1024), although best to stay away from well-known ports like 3389. The purpose of changing the ssh port is to make it harder for automated scanners.

  2. Restart sshd:
    /etc/init.d/ssh restart

  3. Don’t close your existing window yet! Start a new putty session and make sure the ssh deamon is answering on the new port.

  4. Stop ssh from accepting passwords and start enforcing certificate logins only (⇒ Please see separate tutorial - To be added)

  5. Create a firewall in Vultr – this will reduce the load on the node from the constant scanning
    a. Create the following rules. Note that for testnet the port is 19033/tcp. Once we move to mainnet, the firewall will need to be changed to 9033/tcp.
    b. Name the firewall rule set – just give it any name you want
    pic2

c. Click on “linked instances” and link it to your machine:
pic3

  1. If not already done, make sure your DNS is set correctly with your domain provider. This will be a big issue later if not done correctly now.
    pic4

  2. Let’s install more packages that we will need later
    sudo apt –y install git ufw build-essential pkg-config libc6-dev m4 g++-multilib autoconf libtool ncurses-dev unzip python zlib1g-dev wget bsdmainutils automake net-tools socat

  3. We will now turn on the firewall on the VM itself in case the VULTR firewall ever fails
    sudo ufw default allow outgoing
    sudo ufw default deny incoming
    sudo ufw allow 2221/tcp
    sudo ufw limit 2221/tcp
    sudo ufw allow http/tcp
    sudo ufw allow https/tcp
    sudo ufw allow 9033/tcp
    sudo ufw allow 19033/tcp
    sudo ufw logging on
    sudo ufw enable

I am using port 2221 as an example. Adjust accordingly.

  1. I find that sudo times out too quickly. I would prefer to only be asked for my password once per hour.
    sudo visudo
    Change the line:
    Defaults env_reset
    To:
    Defaults env_reset,timestamp_timeout=60

Step 3: Install Zencash

  1. Clone the Zen repo:
    mkdir zencash
    cd zencash
    git clone https://github.com/ZencashOfficial/zen.git

  2. Compile zen
    cd zen
    ./zcutil/build.sh -j$(nproc)
    Given that we only have 1 CPU/1GB RAM (+ swap), be patient. Compiling zen is going to take a while (1+ hour)

  3. Zen parameters need to be downloaded
    ./zcutil/fetch-params.sh

  4. For non-unix folks, this gets very confusing. Directories that start with “.” are hidden directories. In order to see them, you can use “ls –al”. By convention (and because Unix folks are old fashioned) applications are typically in regular directories but the configuration files are in hidden directories (very strange logic, but we are stuck with it).

  5. Go to config directory and create the config file
    cd ~/.zen
    vi zen.conf

  6. Enter the following info (change user and password to whatever you want)

addnode=zpool.blockoperations.com
addnode=zennodes.network
rpcuser=change me to whatever you want
rpcpassword=change me to whatever you want
rpcport=18231
rpcallowip=127.0.0.1
server=1
daemon=1
listen=1
txindex=1
logtimestamps=1

  1. Start deamon and make sure the blockchain is downloading
    cd ~/zencash/zen/src
    ./zend
    ./zen-cli getinfo
    Be patient with this step, it needs to sync the entire blockchain

  2. Put zen in /usr/bin and start automatically
    sudo cp zend /usr/bin/
    sudo cp zen-cli /usr/bin/
    crontab -e
    At the bottom insert: @reboot /usr/bin/zend

  3. Get acme.sh script to request SSL cert
    cd ~
    mkdir acme
    cd acme
    git clone https://github.com/Neilpang/acme.sh.git
    cd acme.sh
    ./acme.sh --install
    cd ~
    sudo .acme.sh/acme.sh --issue --standalone -d <fully qualified domain name>
    A few critical point for this last command:

  4. Do NOT issue this command as root, you must issue it as your normal user who owns the zend and zennodetacker processes. If you try to be a too smart for your own good sysadmin, the SSL certificate will go to the /root folder and you will end up with a ton of permission problems.

  5. You must have the complete name of your node. Remember one of the first points: your /etc/hosts file and DNS entries must be correct.

  6. <fully qualified domain name> means for example: znode-pie2.pnhl.trade or znode.blockoperations.io (not just the name znode-pie2 or znode)

  7. You may need to copy the certs from the root directory. You can do that by running the following commands:
    sudo cp /root/.acme.sh/<fully qualified domain name>/<fully qualified domain name>.cer /home/<USERNAME>/.acme.sh/<fully qualified domain name>/<fully qualified domain name>.cer

sudo cp /root/<fully qualified domain name>/<fully qualified domain name>.key /home/<USERNAME>/.acme.sh/<fully qualified domain name>/<fully qualified domain name>.key

  1. Add the ssl cert path to zen.conf
    vi ~/.zen/zen.conf
    Add the line (with the correct name for your node):
    tlscertpath=/home/<username>/.acme.sh/<fully qualified domain name>/<fully qualified domain name>.cer
    tlskeypath=/home/<username>/<fully qualified domain name>/<fully qualified domain name>.key
    Note: Replace <fully qualified domain name> with your node.domainname

  2. Letsencrypt is not a trusted registrar by default. We need to change that:
    sudo mkdir /usr/share/ca-certificates/letsencrypt/
    sudo cp /home/<username>/.acme.sh/<fully qualified domain name>/ca.cer /usr/share/ca-certificates/letsencrypt/ca.crt
    Note: Replace <fully qualified domain name> with your node.domainname

sudo dpkg-reconfigure ca-certificates

Notice that on the second command, we are changing the name of ca.cer to ca.crt, that’s very important!
pic5
pic6

Use the spacebar to add an asterisk to the first entry for letsencrypt. Then, hit tab to get to “ok”. Then press enter.

  1. A few final steps
    cd ~/zencash/zen/src
    ./zen-cli stop
    sudo cp zend /usr/bin
    sudo cp zen-cli /usr/bin
    zend

  2. Test the installation
    cd ~
    zen-cli getnetworkinfo
    pic8

  3. Make a test connection
    mainnet:
    openssl s_client –connect <fully qualified domain name>:9033
    testnet:
    openssl s_client –connect <fully qualified domain name>:19033
    Note: Replace <fully qualified domain name> with your node.domainname

Step 4: Install Secure node tracker

This section is based on https://github.com/adumaine/secnodetracker
However, due to the limited OS installation, a few things have been changed.

  1. Install NPM and Node.js
    sudo apt –y install curl
    curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
    sudo apt –y install nodejs

  2. Install zecurenodetracker
    cd ~/zencash
    git clone https://github.com/ZencashOfficial/secnodetracker.git

Head into the secnodetracker directory with
cd secnodetracker

next run
npm install

  1. Send 42 ZEN (or test ZEN – ZNT if still on testnet) from your wallet to a T address in your wallet (not to the VPS). This will be your staking address.

  2. Create a private address on the securenode
    zen-cli z_getnewaddress

  3. If you forget that address, you can get it will the command
    zen-cli z_listaddresses
    pic7

  4. Send five transactions of 0.2 ZEN (or ZNT in testnet) to the private address
    For an excellent explanation of why five transactions, see: https://www.zen-solutions.io/interesting-issue-found-in-alpha-testing/

  5. You can monitor your balance on the private address with this command
    zen-cli z_gettotalbalance

  6. We need to setup the tracker now
    node setup.js
    Question 1: you staking address from your wallet from #3 (that’s the one with the 42 ZEN)
    Question 2: any email address you would like to receive notifications
    Question 3: the full name of your node (in my case znode-pie2.pnhl.trade)
    Question 4: Are you using IPv4 or IPv6 – for most people the answer is 4
    Question 5: your region – most likely auto detected by the script

  7. We want to make sure that the securenodetracker runs all the time. There are many ways to do this, but we will us PM2.

  8. Install PM2
    sudo npm install pm2 -g
    pm2 start app.js –-name securenodetracker

  9. To monitor the logs
    pm2 logs securenodetracker

  10. To see the status
    pm2 status securenodetracker

  11. To stop the tracker
    pm2 stop securenodetracker

  12. To automatically start after reboot
    Still working on that. The command “pm2 startup” doesn’t work due to the lack of systemd. Other options have so far failed me. Will update this guide once I find a good solution. I am open to suggestions.

Check out the tracking website for your node:
North America: https://securenodes.na.zensystem.io/
Europe: https://securenodes.eu.zensystem.io/
Southeast Asia: https://securenodes.sea.zensystem.io/

You are done, Congrats!

If you find this blog useful, and if you would like to keep it up and running, donations are always appreciated to any of the following addresses:
ZEN: znYjefe2QBfm9HEWfAtpwiBHMHTXwePs48C
ZEC: t1YZxjMEmPPLx1kFVp2zcWRBC4zrmRc71eZ
BTC: 14D1emX2xDeh3zA2myrhCmaWf1ZKAn1QzS
ETH: Ae491f4493F8d051ac23cE0d4aa2B524504eCb84