Since no official CIS Benchmark for Geth exists, this review adapts the (draft) and general blockchain/node hardening principles.
Create a dedicated, non-root user (e.g., ethereum ) to run the Geth service. 2. Network and Firewall Configuration geth cis
Organic civilizations (Republic/Citadel) fear the efficiency of the machine mind. Since no official CIS Benchmark for Geth exists,
| CIS Control | Geth Setting | Recommendation | Risk if ignored | |-------------|--------------|----------------|----------------| | Disable HTTP RPC unless required | --http=false | Use IPC or WS over localhost only | Remote execution, info leak | | 1.2 Restrict HTTP RPC methods | --http.api=eth,net,web3 | Never expose admin , debug , personal | Unauthorized shutdown, account compromise | | 1.3 Enable authentication for WebSocket | --ws --ws.origins + proxy auth (basic/jwt) | Use JWT secret ( --authrpc.jwtsecret ) | Replay attacks, tx manipulation | | 1.4 Disable GraphQL if unused | --graphql=false | Default: off | Data exfiltration via complex queries | | 2.1 Limit peer count | --maxpeers=50 (private) / --maxpeers=100 (mainnet) | Prevents eclipse attack | Memory exhaustion, eclipse | | 2.2 Use static trusted peers | --trusted-peers + static-nodes.json | Avoids malicious peer injection | Gossip layer compromise | | 3.1 Enable transaction journaling | --txlookuplimit=0 (archive) | Default 1M txs is safe | Inability to query old txs | | 3.2 Disable wallet / personal API | --nousb + --unlock="" | Prevents key extraction | Physical/USB key attack | web3 | Never expose admin
Here is a put-together feature overview of :
Since no official CIS Benchmark for Geth exists, this review adapts the (draft) and general blockchain/node hardening principles.
Create a dedicated, non-root user (e.g., ethereum ) to run the Geth service. 2. Network and Firewall Configuration
Organic civilizations (Republic/Citadel) fear the efficiency of the machine mind.
| CIS Control | Geth Setting | Recommendation | Risk if ignored | |-------------|--------------|----------------|----------------| | Disable HTTP RPC unless required | --http=false | Use IPC or WS over localhost only | Remote execution, info leak | | 1.2 Restrict HTTP RPC methods | --http.api=eth,net,web3 | Never expose admin , debug , personal | Unauthorized shutdown, account compromise | | 1.3 Enable authentication for WebSocket | --ws --ws.origins + proxy auth (basic/jwt) | Use JWT secret ( --authrpc.jwtsecret ) | Replay attacks, tx manipulation | | 1.4 Disable GraphQL if unused | --graphql=false | Default: off | Data exfiltration via complex queries | | 2.1 Limit peer count | --maxpeers=50 (private) / --maxpeers=100 (mainnet) | Prevents eclipse attack | Memory exhaustion, eclipse | | 2.2 Use static trusted peers | --trusted-peers + static-nodes.json | Avoids malicious peer injection | Gossip layer compromise | | 3.1 Enable transaction journaling | --txlookuplimit=0 (archive) | Default 1M txs is safe | Inability to query old txs | | 3.2 Disable wallet / personal API | --nousb + --unlock="" | Prevents key extraction | Physical/USB key attack |
Here is a put-together feature overview of :