ICON Blockchain Ansible Security Hardening¶
Business case idea¶
Running blockchain validator nodes is like running a bank. You need to take the all precautions possible to make sure your nodes are not only running with as many 9’s of uptime but also that your node itself can’t be hacked. If a malicious actor found an exploit in a common configuration, they can comprimise the entire network. To mitigate this, we need to run a suit of hardening steps on our application and run our validator node in the most stable / secure configuration possible directly on the VM.
We need to first run a suite of andsible hardening steps on each VM as part of the bootstrapping process. We then need to do a quick audit and track exactly what we are doing.
Then we need to take apart a docker container and turn it into an ansible playbook as we don’t want to run that app on a container.
This might get pushback initially but I think it is a good long term goal to run the application as close to metal as possible, ideally in a tier 4 data center with dedicated HSM.
Configure bastion to connect to IdP
gravitational’s teleport or rolling own
Setup P2P network configs and build agent to update the firewall
This gets into it but if you are here, your project will start looking really good
Build CI to run tests
Tests written early, CI later
Terraform + terragrunt
All your ansible will be folded into this repo. Don’t worry, Rob will help
Pen / Load tests
Find a few good packages to run a few tests around
terratest / test kitchen / python
Node that shown to be more resiliant based on some metrics like you run nmap and nothing is open and you ran a pen testing package and you failed, then you passed
Basic ansible hardening in terraform
Get a few features together
Run suite of tests
Fiugure out a P2P networking challenge we have