Fluxme.io
Best Practices

Security Best Practices

Protecting your keys, securing your nodes, and backup strategies.

10 min read
securitykeysbackup

Running a Flux node hosting operation means you are responsible for securing both your own infrastructure and your clients' investments. A single security lapse can result in lost collateral, compromised nodes, or reputational damage. This guide covers the essential security practices every Flux provider should implement from day one.

Private Key & Wallet Security

Your private keys and identity keys are the most critical assets in your operation. If compromised, an attacker can steal collateral, redirect rewards, or take control of your nodes. Treat key security as your absolute top priority.

NEVER share private keys, identity keys, or wallet seed phrases via email, Discord, Telegram, or any messaging platform. No legitimate Flux team member will ever ask for your private keys.

  • β€’Use hardware wallets for high-value collateral β€” Ledger or Trezor via Zelcore for Stratus-level holdings
  • β€’Use SSP Wallet with 2-of-2 multisig for an extra layer of transaction security
  • β€’Store seed phrases offline β€” write them on paper or use metal backup plates, never store digitally
  • β€’Test recovery before locking collateral β€” verify you can restore your wallet from the seed phrase
  • β€’Use separate wallets for operational funds vs. collateral to limit exposure
  • β€’Enable encryption on all wallet files stored on computers

Server Security Fundamentals

Every server running a FluxNode is a potential target. Securing your servers properly is essential to maintaining uptime, protecting client nodes, and ensuring PNR eligibility.

SSH Hardening

SSH is the primary access method for your servers. Hardening SSH is the first line of defense against unauthorized access.

  1. 1

    Use SSH key authentication

    Generate an ED25519 key pair: ssh-keygen -t ed25519. Copy your public key to the server and disable password authentication entirely.

  2. 2

    Disable root login

    Set PermitRootLogin no in /etc/ssh/sshd_config. Create a regular user with sudo privileges instead.

  3. 3

    Change the default SSH port

    Move SSH from port 22 to a non-standard port (e.g., 2222) to reduce automated brute-force attempts.

  4. 4

    Limit login attempts

    Install fail2ban to automatically ban IPs after repeated failed login attempts.

SSH hardening - /etc/ssh/sshd_config

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
Port 2222
AllowUsers youruser

Firewall Configuration

A properly configured firewall ensures only necessary traffic reaches your node. FluxOS requires specific ports to be open for node communication and the web UI.

UFW firewall setup for FluxNodes

# Reset and set defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (use your custom port if changed)
sudo ufw allow 2222/tcp

# FluxOS required ports
sudo ufw allow 16124/tcp    # Flux daemon
sudo ufw allow 16125/tcp    # Flux daemon
sudo ufw allow 16126/tcp    # FluxOS API
sudo ufw allow 16127/tcp    # FluxOS API
sudo ufw allow 16128/tcp    # FluxOS communication
sudo ufw allow 16129/tcp    # FluxOS communication
sudo ufw allow 16132/tcp    # FluxOS UI

# Enable firewall
sudo ufw enable

Install fail2ban for automatic brute-force protection: sudo apt install fail2ban. The default configuration protects SSH. For custom SSH ports, update /etc/fail2ban/jail.local accordingly.

System Maintenance & Updates

Keeping your systems updated is critical for security. Unpatched vulnerabilities are one of the most common attack vectors.

  • β€’Enable automatic security updates β€” install unattended-upgrades on Ubuntu to auto-apply critical patches
  • β€’Keep FluxOS updated β€” always run the latest version; outdated versions may fail benchmarks or lose PNR eligibility
  • β€’Monitor CVEs β€” subscribe to Ubuntu security notices for your server OS version
  • β€’Reboot regularly β€” kernel updates often require reboots; plan maintenance windows
  • β€’Use ArcaneOS β€” the hardened OS handles security updates automatically

Enable automatic security updates on Ubuntu

sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

# Verify it is enabled
cat /etc/apt/apt.conf.d/20auto-upgrades

Client Credential Management

As a provider, you may handle client Zel IDs, identity keys, and payment information. Protecting this data is both an ethical obligation and a business necessity.

  • β€’Never store client private keys β€” clients should manage their own keys; you only need their Zel ID for node setup
  • β€’Use encrypted channels for sharing any sensitive information (encrypted email, Signal, or in-portal messaging)
  • β€’Implement access controls β€” limit which team members can access client data
  • β€’Delete sensitive data when no longer needed β€” don't retain identity keys after node configuration
  • β€’Document your data handling β€” have a clear privacy policy that clients can review

Backup Strategy

A robust backup strategy protects against data loss, server failures, and ransomware attacks.

What to BackupFrequencyStorage
Wallet seed phrasesOnce (on creation)Offline only (paper/metal)
Node configurationsAfter each changeEncrypted cloud + local
Client databaseDailyEncrypted offsite backup
Server configsWeeklyGit repository (private)
Monitoring configsAfter each changeGit repository (private)

Incident Response Plan

Despite best efforts, security incidents can occur. Having a plan ensures you react quickly and minimize damage.

  1. 1

    Detect

    Monitoring alerts notify you of unusual activity β€” unauthorized logins, unexpected reboots, benchmark failures.

  2. 2

    Contain

    Immediately isolate the affected server. Change SSH keys and passwords. Block suspicious IPs.

  3. 3

    Assess

    Determine the scope: was collateral at risk? Were client nodes affected? Check wallet balances and node statuses.

  4. 4

    Remediate

    Rebuild compromised servers from scratch (never trust a compromised system). Rotate all keys and credentials.

  5. 5

    Communicate

    Notify affected clients promptly and transparently. Explain what happened and what you've done to fix it.

  6. 6

    Learn

    Document the incident. Update your security practices to prevent recurrence.

Keep an emergency contact list ready: your VPS provider's abuse/emergency line, Flux Discord for network-level issues, and your clients' contact details for rapid notification.

Sources & Further Reading

Other articles in Best Practices

Provider Pricing Strategy

How to price your hosting services competitively while maintaining profitability.

Client Management Guide

Best practices for onboarding, communicating with, and retaining hosting clients.

Monitoring & Alerting

Setting up comprehensive monitoring with Discord, email, and dashboard alerts.

Scaling Your Operations

Strategies for growing your hosting business and automating operations.

Provider Agent β€” Turnkey Solution

How the Provider Agent transforms any ArcaneOS node owner into a hosting provider with automated setup, payments, and client management.