diff --git a/docs/fundamentals/security.md b/docs/fundamentals/security.md index a3b4e75c4..837daf43b 100644 --- a/docs/fundamentals/security.md +++ b/docs/fundamentals/security.md @@ -3,24 +3,25 @@ title: Security sidebar_position: 3 --- -# Security +## General security considerations -:::danger -:loudspeaker: **DO NOT** use Nethermind wallet / signers for mainnet ETH handling! +:::tip +Although Nethermind is thoroughly tested, the more popular it becomes, the more likely it will be the target of client-specific attacks. Generally, you should always consider running backup client nodes implemented by a different team for any critical operations. ::: -:::danger -:loudspeaker: JSON RPC endpoint (port `8545`) should **NOT** be exposed publicly (should be behind the firewall). +:::warning +Enable only the JSON-RPC namespaces you absolutely need. This is particularly important for namespaces like `admin` and `debug`, as they can be exploited to get elevated access to your node or for DOS attacks. ::: :::danger -:loudspeaker:The private key from which the node ID is derived is stored on disk (**NOT** protected by password). +The private key the node id is derived from is stored on the disk as plaintext. ::: -:::warning -Nethermind is thoroughly tested but the more popular it will get the more likely it will be the target of client-specific attacks. Generally you should always consider running backup client nodes implemented by a different team for any critical operations. -::: +## Networking security + +These rules are **highly recommended** to be applied to your firewall: + +- Block all traffic to the port `8545`, or whatever port is defined for JSON-RPC interface, except for traffic from explicitly defined trusted sources. +- Allow traffic to the TCP port `30303` or whatever port is defined for P2P communication. This allows the node to connect to peers. +- Allow traffic to the UDP port `30303` or whatever port ia defined for P2P communication. This allows node discovery. -:::info -For non-mainnet signing you can use dev wallet configurations. -:::