Staking in the cloud with Windows VPS in AWS

Quick guide to secure staking using Amazon Web Services

This guide will show you how to launch your own virtual Windows computer via Amazon Web Services (AWS). The Windows server has the same graphical interface as a common household Windows PC which makes it suitable for an average consumer while offering significantly greater security. We are setting up for the Testnet version. Mainnet will require port 3338 to be used instead of 1334.

Create AWS account:

  1. Sign up or log in to your account at amazon web services at https://aws.amazon.com/

If you don't already have an account you can create one.

2. After signing up finally sign in to your AWS account:

Enabling MFA

3. To enable MFA (Multi-factor authentication) click on your username at the top right and then click 'My Security Credentials' in the dropdown menu and click on 'Activate MFA':

From here you will have the option to select from a virtual MFA device or a U2F security key or other hardware MFA device. We will be using the Virtual MFA device such that can be used on a mobile Authenticator app:

4. Upon clicking continue, a new screen will appear where you can click to reveal your QR code to scan with your Authenticator app on Android or IOS. You will then need to open up your Authenticator app and scan the code and add the AWS account to your profile. There will be two consecutive codes needed to be entered in order to fully synchronize.

5. After synchronization is successful you will now be fully set up to log in with Multi factor authentication. The next time you sign in, it will be required that you use your Authenticator app to enter the code. This will help further secure your staking server.

Deploying an instance

6. Head to the management console:

Notice the Region area next to support in the top right of the page. Here you can set your region depending on where you would like your Staker to reside. Select a region and keep note for the future.

6. Now head to the management console in 'Services' and click on 'Launch a virtual machine with EC2':

There will be several options for different servers depending on your needs. For now we will set up Microsoft Server 2019 Base with containers:

We will be using a machine with moderate performance but feel free to select the server that best suits your needs. The current recommendation is the t2.medium. prices will vary depending on your CPU and RAM choices.

We are using in our example a machine with 16GB RAM and 4 CPUS. We recommend using lower specs for the average user.

7. Click 'Review and launch' below to continue. Here you can review your choices. We will be changing some settings in 'Security groups' to allow for port 1334 and a custom port for remote desktop (optional). Setting a custom port for remote desktop will require changing the registry in windows but we will show you how to do this later. For now, we will keep the default port open and add two more ports TCP 1334 and TCP 9833.

8. Click 'Edit security groups' and click 'add rule' two times to add two more rules. Under port range add

  • your custom RDP port (in our case 9833)

  • the port which the node will be connecting with peers 1334 for testnet

  • port 3338 for mainnet.

  • port UDP 123 which allows your computer to sync its time with an external Network Time Protocol (NTP server). Having a properly synced clock is important as otherwise, peer nodes might ban you.

For all ports except your RDP, Under 'Source' select 'Anywhere' for now. This can later be changed to only allow connections from a selected IP.

It is highly recommended for your RDP port (9833 with our current example) to be bound to your home IP address. This way you will ensure that no one else would be able to connect to your server even if he had your password. Then click 'Add Rule' then 'Review and launch' to complete:

9. You can review your settings once more and then click 'Launch'. There will be a new window that will ask you to create a key pair or choose an existing one. Create a new key pair, give it a name and then download the key pair to a secure location.

10. Your instance will now start launching which will take a few minutes. Click on 'View Instances' to see your instance.

11. Your instance will display 'Initializing' under 'status check'. Pressing the refresh button next to 'Connect' will refresh the status. Once the status displays 'checks passed' we will be able to connect to our server.

12. Right click on the instance and click 'Connect'. This will load up the 'Connect to instance', then click 'RDP client'. From here we will can download the RDP client file but if you are changing the default port copy and paste the 'Public DNS' somewhere safe.

13. Now click on 'Get password' and browse to the .pem file that was previously downloaded. This will enable for the decryption of your password. Click on 'Decrypt Password' and it will reveal the instance password that you can use to login with RDP. Write it down somewhere safe.

We are now ready to log in to our instance using Remote Desktop. A few registry changes will be required if you have chosen to use a custom RDP port. The firewall will also need to be opened for a few ports as well as temporarily disabling of the Windows Server IE Enhanced Security so that we can download the proper files to start the HYDRA staking node.

Connecting to your server

14. Press the windows key and type 'RDP' to bring up the windows Remote desktop application.

Important: It is suggested to use an on-screen keyboard on a non compromised computer to enter credentials when logging into the server.

15. Click 'Show Options' and in the 'Computer' area, paste in your server address. The User Name should be 'Administrator'. If we are using a different RDP port we will later modify the address to include ":9883" at the end of the address. After entering your information proceed to click 'Connect'. Another dialog will pop up requesting your password. Enter the password that was provided by AWS earlier. It is recommended to store this password on a piece of paper.

Use on-screen keyboard on a computer that is not compromised to enter the password

15. Accept the windows certificate by clicking 'Yes'. Congratulations, we are now logged into our server. After a few moments of personalization and initial setup we will be prompted by 'Networks' dialog asking if we want to allow our PC to be discoverable by other computers. Select 'No'.

Congrats we're halfway there!

Adjusting the Firewall

16. We're now going to prepare our server installation for our node by opening required ports TCP 1334(for mainnet this port is TCP 3338), our custom port TCP 9833 if you are using remote desktop and UDP port 123 for the Time Sync. Press the windows key and type 'Firewall' and click 'Windows defender firewall'. Once the firewall opens select 'Advanced Settings'.

On the next window we will the click 'Inbound Rules' and then 'New Rule'.

17. Click 'Port' and then click 'Next'. We will be doing this twice for both ports 1334 (3338 for Mainnet), PORT 123 and 9833 or whichever custom port you have optionally chosen for RDP. Regardless we will be disabling the RDP port after setup through the amazon security interface and only re-enabling when you need to login again. This will greatly increase security as there will only be only two open ports directly to the staking wallet.

18. Select 'TCP' and then in 'Specific local ports' enter '1334' (3338 for MainNet). This will be the port that our node is using to connect to other peers. Click 'Next'. Do the same for UDP port 123.

19. Finally click next with 'Domain', 'Private', and 'public' networks selected.

20. Give the rule a name and click finish. Repeat this process again if you have opted to use a custom port for Remote desktop.

The resulting firewall rules should look like this (you can use a different port than 9833 for remote desktop as well as if you have opted to run on Mainnet and chosen port 3338 instead of 1334. Just be sure it is set the same everywhere).

Customizing the Remote Desktop (RDP) port

21. We are now going to set the custom port for Remote desktop. Click the windows key and type 'regedit' and click 'Registry Editor'. Navigate to the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. Click on RDP-Tcp, on the right side scroll down until you see 'PortNumber' and double click it. Then select 'Decimal' and change the number from 3389 to whichever port you want to use as an alternative. Having your own custom port means that your server will be more difficult to be scanned by hackers that usually try the default known ports. In this example, we will set the port to 9833. Click 'OK' to save it.

You will need to restart the instance for the new port to be activated.

22. Let's now test to see if our settings were correct and restart our server and try to log in again. If we set everything correctly we should be able to log in using our new port number 9833.

23. Click the servers windows button and then power and click restart.

24. To test our new RDP port we will need to connect using it with our servers address followed by :9833

Enter the address and username (default is Administrator) and click connect. If all went well you will be prompted for your password. Enter it and we will finish preparing the server for staking with HYDRA.

Temporarily disabling Internet explorer Enhanced security

In order to browse to the repository to install our wallet software we must temporarily disable the Enhanced security function that comes setup by default with windows server.

25. Press the windows key and type 'server manager' and click 'Server Manager'. Click 'Local Server' and find in the right pane where it says 'IE Enhanced Security Configuration' and click where it says 'On'. This will bring up another window where you can select the off option for both users and administrators. It is advised to come back here and set it to 'On' when we have completed the installation of the HYDRA wallet.

Installation of the HYDRA wallet

26. We are finally now ready to install the HYDRA wallet so that we can begin staking. Open Internet Explorer and navigate to https://github.com/Hydra-Chain/node/releases You can copy and paste the link into the RDP session. If you prefer you can install a different browser to make things easier in the future. Select the Windows installer for 64 bit and download and run the file to install.

Congratulations! The wallet is now ready to be set up. You can now import your wallet.dat if you have one or create a new one to hold funds in. Please see the wallet usage section for more information on using the wallet for staking.

27. To finalize we need to log back into AWS to disable the original RDP port 3389 and after the wallet is set up for staking we can even close our custom port 9833 and open it as needed for added security. Alternatively, you can bind port 9833 to be accessed only via your home static IP Address.

In our case, we will close it entirely as the staking node will either way be accessed rarely. Let's log back into amazon web services. If we have logged out we will be prompted for the MFA code that we have generated so will need to use the Authenticator app that we've chosen to copy the temporary code from.

28. Navigate to EC2:

29. Now find your instance. Remember to be sure you're in the right locale. Click on your instance:

30. Now right click on the instance ID and choose 'Security' and then 'Security groups' below it:

31. Select 'Edit inbound rules'

32. Finally delete or modify all the rules except port 1334 (3338 for mainnet). If you prefer you can keep the port open for RDP or allow only connections from your IP. Please take note of all information in a safe location such as port numbers, addresses, passwords, wallets and encryption keys.

You can now safely log off from the remote desktop session and when you need to you can come back to AWS and re-open the RDP port when you require access.

33. Enabling MFA for logging into your windows RDP session

This is a highly recommended step as it protects your windows server from attacks that arise from an RDP password leak and/or brute force attacks.

Using DUO (owned by CICSO) you can add an additional layer to enhance the security of your Remote Desktop session. They offer an app that runs on IOS and Android devices which allows you to verify login attempts prior to even reaching the windows login. They offer a free 30-day trial and offer many added benefits such as blocking out repeated login attempts as well as alerts and many more great features. After the 30 day-trial the pricing (starting at $3/user/month) can be seen here. Here is a great guide to get it up and running: https://duo.com/docs/rdp .

DUO is highly recommended because it ensures that even if your access password to your windows server is compromised, there will be an additional layer of security that will prevent the hacker from gaining access. In a theoretical Amazon security leak, the hacker will still need to overcome DUO in order to gain access to your server.

Additionally, the instant push notification of DUO also comes as a natural notification in case someone tries to connect to your server. It will immediately be alerted on your mobile and the attacker IP will be displayed.

NB! It is very important to configure DUO during installation to "fail close" setting. This will ensure that in no circumstance will the 2fa be bypassed. The default "Fail open" means that if there's no internet connectivity between your server and the DUO server, the 2fa will be bypassed.

https://duo.com

Important additional considerations:

  • It is recommended not to access your staking node without a reason. You can use the public explorer.hydrachain.org to monitor the activity of your staking wallet. If your balance is not changing and you don't see any mined blocks, you can connect to check on the wallet. If on the other hand, everything works smoothly, you can leave the node to do its job without interfering with it.

  • Windows Server will occasionally need to deploy automatic system security updates. It will need to have firewall ports 80 and 443 opened to do so. We recommend you to perform weekly or monthly maintenance on the staking node where you do a controlled port opening and system updating (and a system restart if necessary). This will ensure your server is up-to-date and that your wallet is working smoothly.