Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
Do Not Use This Guide!
THIS GUIDE IS NO LONGER ACCURATE!
Instead, please use the ZenCash guide at zencash.com
https://documentation.zencash.com/display/ZEN/Installation
I am keeping this post up for historical information and to help people who want to continue to use this guide.
Secure Node Basic Requirements
The server needs a 64 bit processor and operating system to meet the requirements of a Secure Node. It also needs access to a decent processor core and a total of 4 GB of memory, which can include swap if the storage access is fast enough.
To qualify for ZenCash Secure Node payments, the Secure Node server has to be able to perform the challenge computation in less than 5 minutes, or 300 seconds. The challenge involves generating a ZenCash Shielded Transaction, both demonstrating the fitness of the server and helping to create many shielded transactions per day, enhancing the security of every user of Shielded Transactions.
For some servers, a 1GB RAM VPS package is ok. For other providers, you need to rent a VPS with 4GB of memory.
It will also need a unique IPv4 or IPv6 address, and a Certificate Authority generated TLS certificate. This means you will also need a domain name. This guide shows how to obtain a free certificate by running a script on the server. It would be more secure, but also more expensive, to purchase a certificate for your Secure Node.
This guide shows how to do an installation using Ubuntu 16.04. Other versions of linux or unix should work just fine also. This is a basic guide designed for an experienced linux sysadmin to copy and paste commands quickly.
Install Linux OS on a VPS or your own server
DO NOT DO THIS INSTALL AS THE ROOT USER!
See my tutorial on How to Set Up a VPS if you do not know how to set up a non-root user and configure basic authentication.
Also, tutorials are available at Linode if you don’t know how to set up server for a regular user:
Getting Started on a Linode VPS
Make a ZenCash Node
If you need assistance, please join the ZenCash Discord and ask for help in the #securenodes channel
Check free memory and hard drive space:
free -h df -h
If you do not have more than 5G of memory when you add your existing Mem and Swap, add some swap space to the server:
sudo fallocate -l 4G /swapfile sudo chmod 600 /swapfile sudo mkswap /swapfile sudo swapon /swapfile
Make the swap come back on after a reboot:
sudo su - cat <<EOF >> /etc/fstab /swapfile none swap sw 0 0 EOF exit
Make the swap work better do this for your existing swap even if you did not add any. This setting makes the server wait until memory is 90% used before using the hard drive as memory:
sudo su - cat <<EOF >> /etc/sysctl.conf vm.swappiness=10 EOF exit
Check free memory and hard drive space again:
free -h df -h
Option 1 – Install zen from packages – faster
Install Zen from packages from this page – https://zencashofficial.github.io/repo/
sudo apt-get update sudo apt-get install apt-transport-https lsb-release echo 'deb https://zencashofficial.github.io/repo/ '$(lsb_release -cs)' main' | sudo tee --append /etc/apt/sources.list.d/zen.list gpg --keyserver ha.pool.sks-keyservers.net --recv 219F55740BBF7A1CE368BA45FB7053CE4991B669 gpg --export 219F55740BBF7A1CE368BA45FB7053CE4991B669 | sudo apt-key add - sudo apt-get update sudo apt-get install zen # to install Zen zen-fetch-params
END OF OPTION 1 – Install Zen from Packages
You can see Option 2 for building from source at the bottom of the page
Configure Zen
Run zend once and read the message. It then stops.
zend
Create a new zen configuration file. Copy and paste this into the command line:
cat <<EOF > ~/.zen/zen.conf rpcuser=zenuserorsomebettername rpcpassword=replacethiswithagoodpassword rpcport=18231 rpcallowip=127.0.0.1 server=1 daemon=1 listen=1 txindex=1 logtimestamps=1 ### testnet config #testnet=1 EOF
Run the Zen application as a daemon:
zend
Check status and make sure block are increasing:
zen-cli getinfo
Install a free certificate from LetsEncrypt
Create an A record for your host on your DNS control panel for your domain. This is your FQDN
Wherever a word is <CAPS> you need to put the appropriate value in place. For example, the <FQDN> of the ZenCash blog server is blog.zensystem.io
Check your domain name has propagated and it matches the public IP address of your server:
ping <FQDN>
Install the acme script for creating a certificate:
sudo apt install socat cd git clone https://github.com/Neilpang/acme.sh.git cd acme.sh ./acme.sh --install
Create the certificate:
FQDN=<FQDN> echo $FQDN sudo ~/.acme.sh/acme.sh --issue --standalone -d $FQDN
It should tell you where your certs are. They should be in
~/.acme.sh/<FQDN>
Install the crontab that will check the script expiration date and renew it if necessary:
sudo crontab -e
Put this at the bottom of the crontab file:
6 0 * * * "/home/<USER>/.acme.sh"/acme.sh --cron --home "/home/<USER>/.acme.sh" > /dev/null
Copy the intermediate authority certificate to the Ubuntu certificate store and install it. Best way to do this is copy the next section into a text file, like Notepad, substituting your actual username and FQDN for the <USER> and <FQDN> fields, then copying and pasting the updated text into the linux command line. As long as you stay logged in for the rest of the guide, you should not have to copy and paste the FQDN line at the top more than once. Use tab, space, enter to navigate the CA Certificates menu:
FQDN=<FQDN> echo "<USER> is $USER" echo "<FQDN> is $FQDN" sudo cp /home/$USER/.acme.sh/$FQDN/ca.cer /usr/share/ca-certificates/ca.crt sudo dpkg-reconfigure ca-certificates
Stop the zen application and configure the certificate location, then start zend again:
FQDN=<FQDN> zen-cli stop cat <<EOF >> ~/.zen/zen.conf tlscertpath=/home/$USER/.acme.sh/$FQDN/$FQDN.cer tlskeypath=/home/$USER/.acme.sh/$FQDN/$FQDN.key EOF zend
Look for TLS cert status true – a line should say “tls_cert_verified”: true
zen-cli getnetworkinfo
Configure Secure Node Requirements
Create a new transparent address on your swing wallet – send it 42 zen. This is the collateral address <T_ADDR>. Make sure the ZEN stays in that address, else your Secure Node will fail its checks.
See if the node already has a shielded address:
zen-cli z_listaddresses
If not, create a shielded address on the zen node:
zen-cli z_getnewaddress
This address will be referred to as <Z_ADDR>. Send 4 or 5 transactions of 0.1 to 0.25 zen to <Z_ADDR> from the ZenCash wallet you have running on your PC or Mac. Check to make sure the node knows it has funds. You are ready when it has more than 1 ZEN:
zen-cli z_gettotalbalance
If the balance is still zero, the blockchain might not be fully updated. Check with the command
zen-cli getinfo
or
watch zen-cli getinfo
Install the tracker application. If you are upgrading your tracker application, read the upgrade instructions here: https://github.com/ZencashOfficial/secnodetracker
Install npm and Node.js:
sudo apt -y install npm sudo npm install -g n sudo n latest
Clone this repository then install node modules:
mkdir ~/zencash cd ~/zencash git clone https://github.com/ZencashOfficial/secnodetracker.git cd secnodetracker npm install
Run the node setup application. You will need <T_ADDR> and an email address to receive alerts.
node setup.js
Start the tracking app and make sure it is working:
node app.js
Check the status of your node at the Secure Node Tracker website:
https://securenodes2.zensystem.io/
If it looks like it has registered properly, and looks good overall, type ctrl-c to stop the app. Next we will run node app as a process: reference is psyrax blog post at https://www.zen-solutions.io/using-pm2-to-keep-your-secnodetracker-software-running-when-you-close-the-terminal-session/
cd ~/zencash/secnodetracker/ sudo npm install pm2 -g pm2 start app.js --name securenodetracker
Make it run at boot:
pm2 startup
You will have to copy and paste a command to get pm2 to start on boot – it tells you what to do
Install and configure monit so the zen node application runs. Install monit:
sudo apt install monit
Create a small file to start zend. Edit it with:
nano ~/zen_node.sh or vim ~/zen_node.sh
Paste this into the file. Substitute your actual username for <USER>
#!/bin/bash PID_FILE='/home/<USER>/.zen/zen_node.pid' start() { touch $PID_FILE eval "/bin/su <USER> -c '/usr/bin/zend 2>&1 >> /dev/null'" PID=$(ps aux | grep zend | grep -v grep | awk '{print $2}') echo "Starting zend with PID $PID" echo $PID > $PID_FILE } stop () { pkill zend rm $PID_FILE echo "Stopping zend" } case $1 in start) start ;; stop) stop ;; *) echo "usage: zend {start|stop}" ;; esac exit 0
Make the helper file executable:
chmod u+x ~/zen_node.sh
Add configuration settings to the bottom of the monit configuration by editing it:
sudo nano /etc/monit/monitrc or sudo vim /etc/monit/monitrc
Paste this into the file at the bottom. Substitute your actual username for <USER>:
### added on setup for zend set httpd port 2812 use address localhost # only accept connection from localhost allow localhost # allow localhost to connect to the server # ### zend process control check process zend with pidfile /home/<USER>/.zen/zen_node.pid start program = "/home/<USER>/zen_node.sh start" with timeout 60 seconds stop program = "/home/<USER>/zen_node.sh stop"
Load the new configuration:
sudo monit reload
Enable the monitoring service:
sudo monit start zend
That’s it. You only have to do the above once. You can check monit’s status with the command:
sudo monit status
This will keep the zend application running. If you stop it, it will restart it. If you really need to stop it, type:
sudo monit stop zend
Add Basic Security to the Server
Create a firewall:
sudo ufw default allow outgoing sudo ufw default deny incoming sudo ufw allow ssh/tcp sudo ufw limit ssh/tcp sudo ufw allow http/tcp sudo ufw allow https/tcp sudo ufw allow 9033/tcp sudo ufw logging on
sudo ufw enable
Install and enable banning of dictionary attack login attempts:
sudo apt -y install fail2ban sudo systemctl enable fail2ban sudo systemctl start fail2ban
Install a rootkit detector:
sudo apt -y install rkhunter
When it asks for mail configuration, choose Internet Site and type in your FQDN on the next page. Create an upgrade script that will also update the rootkit hunter after you upgrade your node:
cat <<EOF > ~/upgrade_script.sh #!/bin/bash sudo apt update sudo apt -y dist-upgrade sudo apt -y autoremove sudo rkhunter --propupd EOF
Change permissions to enable execution of the script:
chmod u+x ~/upgrade_script.sh
When you want to upgrade the node, run the upgrade script by typing:
sudo ~/upgrade_script.sh
You should now have a ZenCash Secure Node running. Hopefully it continues meeting the challenge times successfully for you.
Final Test
Reboot your server and check that everything comes back up and starts running again.
sudo reboot
After it reboots, reconnect, and check things are working:
sudo monit status pm2 status zen-cli getinfo zen-cli getnetworkinfo
That should be everything for a basic secure node. Is it possible to do things better, differently, or with more style? It sure is. Go for it and let me know in the comments what I could have done better in this guide
Update on 12/24/17:
Here are some notes from Discord community member PeaStew for how to set up and operate the secure node better. I will go through and update this guide as soon as I have a chance, which will hopefully be soon.
Sorry I have been absent for last month on the blog. Had to upgrade the mining facility to more than 400 miners, put in place monitoring, and do some ZenCash related travel. Also needed to spend enough time with family to have a joyful holiday season.
Here are PeaStew’s recommendations:
- Server/VPS Specifications:
- The recommendation of 4GB total memory (RAM + Swap) is incorrect, it is quite likely that up to 6GB total (RAM + Swap) will be needed. While some have had success with 2-3GB with 3-4 Swap, most will not. The minimum should be 4GB of RAM + 2 GB of Swap. This initial statement is also contradicted in the swap instructions “If you do not have more than 4G of memory when you add your existing Mem and Swap, add some swap space to the server”
- The link to linode is not helpful, people are ordering the 1GB linode VPS which is not capable of running the challenges. Please either update the link to servers with at least 4GB RAM (several hosts are available including OVH which also has DDoS protection) or just remove the link and update the required specs.
- There is no minimum specification of Harddrive, if people will need to use swap they will need it to be fast and so an SSD based solution should be mandatory.
- zend: I don’t know if it is possible to make it more clear to people, but Option 1 (apt) and Option 2 (build) needs to be better delineated.
- We have had numerous instances of people doing both and then having to clean up the mess afterwards. Preference would be that Option 2 be moved to a separate link rather than be a flow on part of the guide.
- Option 1 is not just faster, it is also much easier to maintain, not just on an individual level but also for the network as a whole with apt.
- Option 2 is not just slower, it also has very little benefit even if you know what you are doing as the binaries will not, in general, be any better than the apt pregenerated ones. The use case of testing of dev branches is such a tiny edge case that it should be ignored for the mainstream.
- LetsEncrypt: Please include this link from psyrax’s blog https://www.zen-solutions.io/loading-lets-encrypt-certificate-chain-to-the-trusted-store-on-centos/. Although the guide is for Ubuntu, the other most common server type is CentOS and this is by far the most common place people fall down.
- The cat <<EOF>… commands for swap/sysctl/zen.conf etc., while technically sound:
- lead to more problems because rather than running them in the command line as you suggest, people instead copy the whole thing into the file. Suggest the commands are made copyable.
- forseeable problem with (a) is the cute use of pwgen but honestly, the zen daemon is already bound to 127.0.0.1 so the login/password details don’t really matter. If the server itself is not secure (see 6) then it is kinda irrelevant because if the server itself is hacked zen.conf is read/writable.
- The guide needs more security:
- a link to how to create private/public keys for SSH in linux/mac/windows (puttygen) is mandatory for a guide like this.
- an addition (with (a)) with how to modify /etc/ssh/sshd_config to turn off root login and switch off passwords is needed.(edited)
- pm2:
- The line “You will have to copy and paste a command to get pm2 to start on boot – it tells you what to do” is not helpful. The actual command starting with sudo env… is not highlighted and for 90% of people, myself included the first time, it is missed. It should specify what the command will look like.
- the latest version of pm2 does not install correctly such that it will restart on boot, the version should be locked as described here by psyrax https://www.zen-solutions.io/latest-version-of-pm2-not-working-properly-with-ubuntu-16-04-lts/(edited)
- Please make it clear that the testnet step, while useful if the node owner is unsure of what to do, isn’t mandatory and in fact it is usually better and certainly much faster (due to needing to sync both testnet and main blockchains) if they skip the step entirely.
- Also reduce the amount of ZEN needed on nodes that go directly to main, the 1 ZEN suggestion was based on multiple challenges/day, now with only one per day 5 * 0.03 payments will last ~3 years which is probably more than enough for most people.
- It also reduces the real risk of losing ZEN if a server host decides to kick someone (or they just reinstall the OS which has happened a few times) as most will not dump the private key
- please encourage the user to dump the private key from the shielded address on the node zen-cli exportkey “z_addr” and save it somewhere so if (a) happens, there won’t be so much unhappiness
Option 2 – Build zen from source – slower
Create directory and clone the Zen Node application
mkdir ~/zencash cd ~/zencash git clone https://github.com/ZencashOfficial/zen.git
Install pre-requisite packages for Zen node application:
sudo apt -y install build-essential pkg-config libc6-dev m4 g++-multilib autoconf libtool ncurses-dev unzip git python zlib1g-dev wget bsdmainutils automake
Download zk-SNARK parameters:
cd zen ./zcutil/fetch-params.sh
Wait for parameters to download. Compile the zen application:
./zcutil/build.sh -j$(nproc)
Wait for zend to build. Install zend and zen-cli into user’s binary directory and run zend once for it to copy files:
sudo cp ~/zencash/zen/src/zend /usr/bin/ sudo cp ~/zencash/zen/src/zen-cli /usr/bin/
END OF OPTION 2 – Build Zen from Source
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.