How to make zend run on a low numbered network port

I decided to change the port on my Zen node today. I wanted to run some nodes on port 443, 80, 53, and other common ports so they can’t be blocked by firewalls. Those ports are usually open for users. Firewalls are used to seeing encrypted traffic over port 443, so that is a likely port to use. It may make a difference for a person to be able to use their Zen wallet or not in some situations.

Unfortunately, a user level process can’t typically access ports less than 1000, unless given special permission by root. Fortunately, we have root access on our linux server!

This is a side note and a followon to this article on How to Build a Zen Secure Node – Part 2

First, change the port zend binds on by adding this line to the ~/.zen/zen.conf file:

port=443

Then create a zen start script. You can call it zennodestart.sh or anything else you want.

vim ~/zennodestart.sh

Put in the file:

#!/bin/bash
sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/zend
/usr/bin/zend

Make it executable

chmod +x ~/zennodestart.sh

Give this script permission to be called with the sudo command without password by adding a line to the bottom of the sudoers file. Edit the sudoers file with the command:

sudo visudo

add to the bottom (put your own username instead of blockops!):

blockops ALL=(ALL) NOPASSWD: /home/blockops/zennodestart.sh

Set the Zen node to start on boot by adding a line to the bottom of the user crontab file using the command

crontab -e

Add this to the bottom (put your own username instead of blockops!)

@reboot /usr/bin/sudo /home/blockops/zennodestart.sh

If we are going to run our zend on port 443, we need to stop it when we renew our letsencrypt cert, so create a script for certification renewal, call it renewcertbot.sh

vim ~/renewcertbot.sh

put this in the script:

#!/bin/bash
/usr/bin/zen-cli stop
/usr/bin/sudo /usr/bin/certbot renew 
/usr/bin/zend

Make it executable

chmod +x ~/renewcertbot.sh

Give this script permission to be called with the sudo command without password by adding a line to the bottom of the sudoers file. Edit the sudoers file with the command:

sudo visudo

add to the bottom (put your own username instead of blockops!):

blockops ALL=(ALL) NOPASSWD: /home/blockops/renewcertbot.sh

Save the file, then test by typing

sudo ~/renewcertbot.sh

The output should look like this:

Set the script to run every week or so by adding a line to the bottom of the user crontab file using the command

crontab -e

Add this to the bottom (put your own username instead of blockops!)

30 2 * * 1 /usr/bin/sudo /home/rolf/renewcertbot.sh

test that it works

zen-cli stop
zend
sudo netstat -peanut | grep zend

It should look somewhat like this. Notice the first line showing the zend process is listening on tcp port 443:

Let’s make sure the firewall is still open on port 443

sudo ufw status

The upper part of the output should look like this:

To Action From
 -- ------ ----
 22/tcp LIMIT Anywhere
 80/tcp ALLOW Anywhere
 443/tcp ALLOW Anywhere

At this point you have changed zend to listen on port 443, created a script to automatically start it, made sure the SSL cert gets renewed, and checked that the zend process is listening on port 443, and made sure the firewall is open on that port.

For the heck of it, let’s check one more thing. I did not know this command, so I found it by typing

zen-cli help

The command I wanted was

zen-cli getnetworkinfo

This is the output:

If you run your node for a while, you will see more and more nodes start to connect to it. This should work for any type of cryptocurrency node, by the way. The problem with most cryptocurrencies is the data is not encrypted. It’s worth doing this for Zen because there will be an upgrade soon to encrypt all traffic between wallets and nodes, with Secure Node using TLS certificates.