Split: update docs/v3/guidelines/nodes/running-nodes/secure-guidelines.mdx (from ai-fixes-big vs main) (#1653)

* Split: update docs/v3/guidelines/nodes/running-nodes/secure-guidelines.mdx (from ai-fixes-big vs main)

* fixes

---------

Co-authored-by: AlexG <[email protected]>

Author: Gusarich

docs/v3/guidelines/nodes/running-nodes/secure-guidelines.mdx

@@ -1,33 +1,33 @@
 import Feedback from '@site/src/components/Feedback';
 
-# Secure guidelines for nodes
+# Security guidelines for nodes
 
-Ensuring the security of nodes, particularly in decentralized networks such as blockchain or distributed systems, is essential for maintaining data integrity, confidentiality, and availability. The guidelines for securing nodes should cover several layers, including network communication, hardware, and software configurations. Below are a set of guidelines to enhance node security:
+Ensuring the security of nodes, particularly in decentralized networks such as blockchain or distributed systems, is essential for maintaining data integrity, confidentiality, and availability. The guidelines for securing nodes should cover several layers, including network communication, hardware, and software configurations. Below is a set of guidelines to enhance node security:
 
-### 1. Use the server exclusively to operate the TON node:
+### 1. Use the server exclusively to operate the node
 
 - Using the server for additional tasks presents a potential security risk.
 
-### 2. Update and patch regularly:
+### 2. Update and patch regularly
 
 - Keep your system updated with the latest security patches.
 
 - Regularly use package management tools like apt (Debian/Ubuntu) or yum/dnf (CentOS/Fedora) to perform updates.
 
   ```bash
-  #Debian/Ubuntu
-  sudo apt update && sudo  apt  upgrade  -y
+  # Debian/Ubuntu
+  sudo apt update && sudo apt upgrade -y
 
-  #CentOS
-  sudo yum update && sudo yum upgrade -y
+  # CentOS
+  sudo yum update -y
 
-  #Fedora
-  sudo dnf update && sudo dnf upgrade -y
+  # Fedora
+  sudo dnf upgrade -y
   ```
 
 - Consider automating security updates by enabling unattended upgrades for your system.
 
-### 3. Ensure a robust SSH configuration:
+### 3. Ensure a robust SSH configuration
 
 - **Disable root login:** Prevent root access through SSH by editing the `/etc/ssh/sshd_config` file.
 
@@ -43,6 +43,11 @@ Ensuring the security of nodes, particularly in decentralized networks such as b
   ```bash
   Port 2222
   ```
+- After editing `/etc/ssh/sshd_config`, apply changes with `sudo systemctl reload ssh` (Debian/Ubuntu) or `sudo systemctl reload sshd` (RHEL/CentOS/Fedora).
+
+:::caution
+Before disabling password authentication or changing the SSH port, ensure you can sign in with SSH keys and that firewall rules allow the new port to avoid lockout.
+:::
 - **Restrict SSH access:** Allow SSH connections only from trusted IP addresses by implementing firewall rules.
 
 ### 4. Implement a firewall
@@ -53,53 +58,73 @@ Ensuring the security of nodes, particularly in decentralized networks such as b
   sudo ufw allow 22/tcp # Allow SSH
   sudo ufw allow 80/tcp # Allow HTTP
   sudo ufw allow 443/tcp # Allow HTTPS
+  sudo ufw default deny incoming
+  sudo ufw default allow outgoing
   sudo ufw enable # Enable firewall
   ```
 
+- Note: Replace `22` with your configured SSH port (e.g., `2222`). Also, if running a full node, ensure the required UDP port is allowed/forwarded. See [port forwarding](guidelines/nodes/running-nodes/full-node#port-forwarding).
+
 ### 5. Monitor logs
 
 - Regularly monitor system logs to detect suspicious activities:
-  - `/var/log/auth.log` (for authentication attempts)
+  - `/var/log/auth.log` (authentication attempts on Debian/Ubuntu)
+  - `/var/log/secure` (authentication attempts on RHEL/CentOS)
   - `/var/log/syslog` or `/var/log/messages`
 - Consider implementing centralized logging.
 
 ### 6. Limit user privileges
 
-- Grant root or sudo privileges only to trusted users. Use the sudo command carefully and audit the `/etc/sudoers` file to limit access.
+- Grant root or sudo privileges only to trusted users. Use the sudo command carefully and use `visudo` to audit/edit the `/etc/sudoers` file to limit access.
 
 - Regularly review user accounts and remove any unnecessary or inactive users.
 
 ### 7. Utilize SELinux or AppArmor
 
-- **SELinux** (on RHEL/CentOS) and **AppArmor** (on Ubuntu/Debian) provide mandatory access control, adding an extra layer of security by restricting programs from accessing specific system resources.
+- **SELinux** (on RHEL/CentOS/Fedora) and **AppArmor** (on Ubuntu/Debian) provide mandatory access control, adding an extra layer of security by restricting programs from accessing specific system resources.
 
 ### 8. Install security tools
 
 - Utilize tools such as **Lynis** to conduct regular security audits and identify potential vulnerabilities:
 
   ```bash
-  sudo apt install lynis
+  # Debian/Ubuntu
+  sudo apt install lynis -y
+
+  # RHEL/CentOS/Fedora
+  sudo dnf install lynis -y
+
+  # Run audit
   sudo lynis audit system
   ```
 
 ### 9. Disable unnecessary services
 
-- To minimize the attack surface, disable or remove any unused services. For instance, if FTP or mail services are not needed, ensure to disable them:
+- To minimize the attack surface, disable or remove any unused services. For instance, if FTP or mail services are not needed, ensure you disable them:
 
   ```bash
-  sudo systemctl disable service_name
+  sudo systemctl disable <service_name>
   ```
 
 ### 10. Implement intrusion detection and prevention systems (IDS/IPS)
 
 - Use tools like **Fail2ban** to block IP addresses after multiple failed login attempts:
 
   ```bash
-  sudo apt install fail2ban
+  # Debian/Ubuntu
+  sudo apt install fail2ban -y
+
+  # RHEL/CentOS/Fedora
+  sudo dnf install fail2ban -y
   ```
 
 - Utilize **AIDE (Advanced Intrusion Detection Environment)** to monitor file integrity and identify any unauthorized changes.
 
+### Unattended updates
+
+- Debian/Ubuntu: `sudo apt install unattended-upgrades`
+- RHEL/Fedora: `sudo dnf install dnf-automatic -y && sudo systemctl enable --now dnf-automatic.timer`
+
 :::caution
 Please remain vigilant and ensure that your node is secure at all times.
 :::