We make sure that your MicroBolt is secured against unauthorized remote access.

The MicroBolt will be visible from the internet and therefore needs to be secured against online attacks using various methods.

Login with SSH keys

One of the best options to secure the sensitive SSH login is to disable passwords altogether and require an SSH key certificate. Only someone with physical possession of the private certificate key can log in.

Preparations on host system

Create a new public/private key pair


Skip if you already have one

ssh-keygen -t rsa -b 4096

Follow instructions, optionally enter a key passphrase to protect your key, you can use password [A]

The public key now needs to be copied to the PC

cat ./.ssh/ |
    ssh satoshi@nakamoto01 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Preparations on server system

It's also recommended to change default ssh port 22, to something else like 2222

Disable password and root logins

sed 's/DROPBEAR_OPTS=""/DROPBEAR_OPTS="-w -s -p 2222"/' /etc/conf.d/dropbear > _
$SU mv -f _ /etc/conf.d/dropbear

Restart service to apply changes

$SU rc-service \
    $(which dropbear >/dev/null && {
            printf "%s" "dropbear"
        } || {
            $(which openssh >/dev/null &&
                printf "%s" "sshd"
    ) restart

Disable root account

$SU passwd -l root

Enabling the Uncomplicated Firewall

A firewall controls what kind of outside traffic your machine accepts and which applications can send data out. By default, many network ports are open and listening for incoming connections. Closing unnecessary ports can mitigate many potential system vulnerabilities.

Install ufw

$SU apk add ip6tables ufw

For now, only SSH should be reachable from the outside. Bitcoin Core and LND are using Tor and don't need incoming ports.

With user satoshi, configure and enable the firewall rules

Replace 22 with your choosen port

$SU ufw default deny incoming
$SU ufw default allow outgoing
$SU ufw allow 22/tcp comment 'allow SSH'
$SU ufw logging off
$SU ufw enable

Make sure that the UFW is started automatically on boot

$SU rc-update add ufw default

Check if the UFW is properly configured and active

$SU ufw status verbose
Status: active
Logging: off
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                   ALLOW IN    Anywhere                   # allow SSH
22/tcp (v6)              ALLOW IN    Anywhere (v6)              # allow SSH

If you find yourself locked out by mistake, you can connect a keyboard and screen to your PC to log in locally and fix these settings (especially for the SSH port).


The SSH login to the node must be specially protected. An additional measure is to install fail2ban, which prevents an attacker from gaining access via brute force. It simply cuts off any remote system with five failed login attempts for ten minutes.

  • Install fail2ban
$SU apk add fail2ban
  • Start and enable on boot
$SU rc-service fail2ban start
$SU rc-update add fail2ban default

The initial configuration is fine, as it protects SSH by default.


Several components of this guide will expose a communication port, for example, the Block Explorer, or the ThunderHub web interface for your Lightning node. Even if you use these services only within your own home network, communication should always be encrypted. Otherwise, any device in the same network can listen to the exchanged data, including passwords.

We use Ngnix to encrypt the communication with SSL/TLS (Transport Layer Security). This setup is called a "reverse proxy": Nginx provides secure communication to the outside and routes the traffic back to the internal service without encryption.

Install ngnix

$SU apk add nginx nginx-mod-stream

Create a self-signed SSL/TLS certificate (valid for 10 years)

$SU openssl req \
    -x509 \
    -nodes \
    -newkey rsa:4096 \
    -keyout /etc/ssl/private/nginx-selfsigned.key \
    -out /etc/ssl/certs/nginx-selfsigned.crt \
    -subj "/CN=localhost" \
    -days 3650

Backup and create new configuration

NGINX is also a full web server. To use it only as a reverse proxy, backup the default configuration and paste the following configuration into the nginx.conf file

$SU mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig
$SU $EDITOR /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
load_module /usr/lib/nginx/modules/;
error_log /var/log/nginx/error.log warn;
pid /run/nginx/;
include /etc/nginx/modules-enabled/*.conf;
events {
  worker_connections 768;
http {
  ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
  ssl_session_cache shared:HTTP-TLS:1m;
  ssl_session_timeout 4h;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  include /etc/nginx/mime.types;
  include /etc/nginx/sites-enabled/*.conf;
stream {
  ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
  ssl_session_cache shared:STREAM-TLS:1m;
  ssl_session_timeout 4h;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  include /etc/nginx/streams-enabled/*.conf;

Create directories for future configuration files

$SU mkdir -p \
    /etc/nginx/sites-available \
    /etc/nginx/sites-enabled \
    /etc/nginx/streams-available \

Test this barebone Nginx configuration

$SU nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Start Nginx to apply the configuration

$SU rc-service nginx start

Add nginx service to runlevel

$SU rc-update add nginx default

You can monitor the Nginx logs by entering this command. Exit with Ctrl + C

tail -f /var/log/messages | grep nginx

You can monitor Nginx error logs by entering this command. Exit with Ctrl + C

$SU tail -f /var/log/nginx/error.log