sudo systemctl status lnbits
sudo journalctl -u lnbits -f --since "2 hour ago"
sudo systemctl status phoenixd
sudo journalctl -u phoenixd -f --since "2 hour ago"
sudo systemctl status caddy
sudo journalctl -u caddy -f --since "2 hour ago"

1.2 Create a Simple Script Check

nano ~/check_services.sh

#!/bin/bash
if systemctl is-active --quiet phoenixd;  then
   echo  "Phoenixd is running."
else
   echo  "Phoenixd is not running."
fi
if systemctl is-active --quiet lnbits;  then
   echo  "LNbits is running."
else
   echo  "LNbits is not running."
fi
if systemctl is-active --quiet caddy;  then
   echo  "Caddy is running."
else
   echo  "Caddy is not running."
fi

CTRL+X -> Y -> ENTER

chmod +x ~/check_services.sh
~/check_services.sh

-> You can now always run the script with ~/check_services.sh.

2. System Maintenance / Snapshot

2.1 Create Snapshot

sudo systemctl stop lnbits
sudo systemctl stop phoenixd
sudo shutdown -h now

-> Create a snapshot through the hosting provider’s website and then restart the VPS.

2.2 System Update

sudo systemctl stop lnbits
sudo systemctl stop phoenixd
sudo su -

Run the update:

apt update && apt upgrade -y

-> Confirm if needed with y and Enter

reboot

-> Wait a moment and then log back in

2.3 LNbits Update

sudo systemctl stop lnbits
cd ~/lnbits
git pull
poetry self update
poetry install --only main

Restart LNbits:

sudo systemctl start lnbits

-> You can verify the version at the bottom left of the LNbits homepage.

Check LNbits log:

sudo journalctl -u lnbits -f --since "2 hour ago"

-> SUCCESS | ✔️ Backend PhoenixdWallet connected and with a balance of xxx msat.

2.4 Phoenix Wallet Update

sudo systemctl stop lnbits
sudo systemctl stop phoenixd

-> LNbits and Phoenix Daemon is being stopped

Check for the latest version: https://github.com/ACINQ/phoenixd/releases
Then adjust the version numbers in lines 2 and 3 accordingly.

cd phoenixd
wget https://github.com/ACINQ/phoenixd/releases/download/v0.4.x/phoenix-0.4.x-linux-x64.zip
unzip -j phoenix-0.4.x-linux-x64.zip

-> Confirm twice with y and Enter

Start Phoenix:

sudo systemctl start phoenixd
sudo systemctl start lnbits

Check the version:

~/phoenixd/phoenix-cli getinfo

-> See „version“ below

Check in the LNbits protocols whether the PhoenixdWallet has been successfully integrated:

sudo journalctl -u lnbits -f --since "2 hour ago"

-> SUCCESS | ✔️ Backend PhoenixdWallet connected and with a balance of xxx msat.

3. Useful Information About LNbits

3.1 Activate LNbits Extensions

In the Super User Account, under Extensions / ALL on the left, select all the extensions you want to activate with MANAGE, choose the latest repository, and install it. Under INSTALLED you will find the activated extension.

3.2 Top Up Wallets via TOPUP

Whenever you create completely new wallets, they are also new user accounts. To identify the user in your database, assign a Username to the account. Then, in the Super User Account under Users / TOPUP, you can top up a specific wallet without a Lightning transaction. Find the username in the list, click on the three bars on the left to show wallets, then click on Copy Wallet ID. Perform a page refresh after topping up. Since LNbits manages wallet balances in a database, you can enter any amount you want. The „real“ Satoshis are contained in the Lightning channel of the funding source.

3.3 Datenbank Backup / Recovery

Backing up an LNbits SQLite database (standard) is quite simple. You should only shut down the LNbits server once and then back up the ~/lnbits/data folder. To do this, it is compressed here with the tar command and the file is then dragged to the client PC.

On the server (VPS):

sudo systemctl stop lnbits
cd ~/lnbits
tar cfv data_backup_jjmmdd.tar ./data
sudo systemctl start lnbits

On the client (computer):

scp blitzbank@yourIPaddress:/home/blitzbank/lnbits/data_backup_jjmmdd.tar ./

-> You should now have backed up the file data_backup_jjmmdd.tar on your computer and LNbits should be running again.

To restore the database, go the other way round:

On the client (computer):

scp data_backup_jjmmdd.tar blitzbank@yourIPaddress:/home/blitzbank/lnbits/

On the server (VPS):

sudo systemctl stop lnbits
cd ~/lnbits
mv data data.backup
tar -xvf data_backup_jjmmdd.tar
sudo systemctl start lnbits

-> This should restore the backup.
-> The mv command only renames the “data” folder to “data.backup”. You can also use this to restore the backup.

Note: If you have set an individual port for the SSH connection, you must use the following commands for the transfer:

scp -P 1001 blitzbank@yourIPaddress:/home/blitzbank/lnbits/data_backup_jjmmdd.tar ./
scp -P 1001 data_backup_jjmmdd.tar blitzbank@yourIPaddress:/home/blitzbank/lnbits/

-> It is important to use the capital “P” here and not the lower case “p” as usual.

3.4 Cronjob and External Backup

On the Target Machine

Create a user named „backup“ on a second VPS that you would like to use as backup storage. This user does not need admin rights but will need an entry in the sshd_config.

adduser backup
sudo nano /etc/ssh/sshd_config

AllowUsers backup

Restart the SSH service and then log in with the new user:

sudo systemctl restart ssh
exit

Create a „backups“ folder and open the „authorized_keys“ file:

mkdir ~/backups
mkdir ~/.ssh
nano ~/.ssh/authorized_keys

-> Paste the .pub key of the Lightning⚡Bank VPS here.

On the Backup Source

mkdir ~/backups

Test the archiving command:

tar cfv ~/backups/data.tar ~/lnbits/data

-> A „data.tar“ file should now be found in the „backups“ directory.

Test the transfer command:

scp -P 1001 -i ~/.ssh/id_rsa ~/backups/data.tar backup@backupIPaddress:~/backups/data_$(date +\%Y\%m\%d_\%H\%M).tar

Note: The transfer here refers to a backup VPS that uses an SSH key (id_rsa) and an individual SSH port (1001). See: “Advanced Hardening of VPS Access“ below.

-> Verify the receipt on the target machine.

Set up a cronjob to automate the archiving and transfer to the target machine:

crontab -e

Fill in with:

# Backup every hour at minute 0
0 */1 * * * tar cfv ~/backups/data_$(date +\%H\%M)).tar ~/lnbits/data
# Daily backup at 5 minutes after 0 o'clock
5 0 * * * tar cfv ~/backups/data_$(date +\%Y\%m\%d).tar ~/lnbits/data
# Daily backup at 10 minutes after 0 o'clock for transfer
10 0 * * * tar cfv ~/backups/data.tar ~/lnbits/data
# Daily transfer at 15 minutes after 0 o'clock 
15 0 * * * scp -P 1001 -i ~/.ssh/id_rsa ~/backups/data.tar backup@backupIPaddress:~/backups/data_$(date +\%Y\%m\%d_\%H\%M).tar
# Delete all entries older than 7 days at 20 minutes after 0 o'clock
20 0 * * * find ~/backups/* -type f -mtime +7 -delete

-> Do not forget to set up a cronjob on the receiving side to regularly delete old backups as well.

You can check the available storage space with the command df -T -h. You can use the ls -lha command to display files in a human-readable form.

4. Useful Information About Phoenix

4.1 Phoenix Help

~/phoenixd/phoenix-cli -h

   getinfo                Show basic info about your node
   getbalance             Returns your current balance
   estimateliquidityfees  Estimates the liquidity fees for a given amount, at current feerates.
   listchannels           List all channels
   getoutgoingpayment     Get outgoing payment
   listoutgoingpayments   List outgoing payments
   getincomingpayment     Get incoming payment
   listincomingpayments   List incoming payments
   createinvoice          Create a Lightning invoice
   getoffer               Return a Lightning offer (static invoice)
   getlnaddress           Return a BIP-353 Lightning address (there must be a channel)
   payinvoice             Pay a Lightning invoice
   payoffer               Pay a Lightning offer
   paylnaddress           Pay a Lightning address (BIP353 or LNURL)
   decodeinvoice          Decode a Lightning invoice
   decodeoffer            Decode a Lightning offer
   lnurlpay               Pay a LNURL
   lnurlwithdraw          Withdraw funds from a LNURL service
   lnurlauth              Authenticate on a LNURL service
   sendtoaddress          Send to a Bitcoin address
   closechannel           Close channel

4.2 Empty Phoenix Wallet

If you want to completely empty the Phoenix Wallet, you need to close the Lightning channel first. You can do this via the command line using the following command:

~/phoenixd/phoenix-cli closechannel --channelId=4bc2cc34.. --address=bc1qw5h27.. --feerateSatByte=4

As you can see, you need three things: the channelId, the address where your remaining outbound liquidity should be transferred to, and the feerateSatByte.

You can find the channelId here:

~/phoenixd/phoenix-cli getinfo

The Bitcoin address to which the remaining funds should be sent can best be obtained from your BitBox02. You can also use BlueWallet, Phoenix, or another Bitcoin wallet. The address type does not matter. The new Taproot format p2tr also works.

The feerateSatByte can best be determined using mempool.space. Just look at the typical values recently used. If unsure, you can also check whatthefee.io. I would, however, never go below 3 sat/vB.

As a confirmation, you will only get one line displaying the closingTxId (e.g., 126aea45be230..). You can then verify the status of the transaction with the ID on mempool.space.

4.3 Useful Phoenix Commands

~/phoenixd/phoenix-cli getinfo
~/phoenixd/phoenix-cli createinvoice \
    --description "my first invoice" \
    --amountSat 200000
~/phoenixd/phoenix-cli listchannels | grep "txId"
~/phoenixd/phoenix-cli getlnaddress
~/phoenixd/phoenix-cli createinvoice --amountSat=1234 --desc="comment"
~/phoenixd/phoenix-cli payinvoice --invoice lnbc3320..
~/phoenixd/phoenix-cli paylnaddress --amountSat=2100 --address="axelhamburch@ereignishorizont.xyz" --message="Thank you for the Lightning⚡Bank"
~/phoenixd/phoenix-cli decodeinvoice --invoice=lnbc2210n..

5. Enhancing VPS Access Security

Note: The following methods for further strengthening security are relevant and good. However, errors often occur, and you may end up locking yourself out. First, take a snapshot of your VPS so you can always go back. Then proceed slowly, step by step, testing the new access each time before you disable something! For example, password access, root user, or a port.

5.1 Use SSH Key

Using SSH key pairs might sound complicated at first and can be a bit confusing, but once you understand it, it’s actually quite simple. Let me let ChatGPT explain it:

An SSH key pair is a type of security tool used for securely logging into a computer or server. Imagine it as a lock and a matching key that work together to open a door—except here, it's about digital security.

Here are the two parts of the SSH key pair:

1. Private Key: This is like your personal, secret key. You should never share it with anyone. It always stays secure on your own computer.

2. Public Key: This is like the lock you mount on the server. It can be seen by others because it doesn’t matter if it’s publicly known. The public key is copied onto the server you want to log in to.

How does it work?

1. When you want to log into a server, the server checks your public key.
2. Your computer (with the private key) "talks" to the server, and the server makes sure that the private key matches the public key.
3. If they match, you are logged in.

The special thing about this procedure is that it’s secure because only the person with the matching private key can log in. Since the private key remains secret and is never sent, the likelihood of a hacking attack is much lower compared to using a password.

You can easily generate a key pair on your computer yourself. Open your command line terminal as if you were logging in, then generate a key pair with the following command:

ssh-keygen

First, you will be asked where to save the key pair. If you simply press ENTER, it will take the suggested path and filename in brackets. Then comes the „Enter passphrase“ prompt. Here, you can encrypt the key with an extra layer of security. This passphrase is the password to decrypt the private key. When you log into the remote server, the private key must be decrypted with the passphrase, but you no longer need the user password to log in. The passphrase is not necessary, but it adds extra security. You must not lose either the key file or the passphrase. Attached is an image showing the generation of SSH key pairs on a Windows 11 computer.

Picture: Generation of an SSH key pair

Ed25519 is a modern asymmetric encryption algorithm. The private key id_ed25519 and the public key id_ed25519.pub were saved on the computer in the path C:\User\User\.ssh. These are two files that you can open and read with a simple text editor like Notepad. Alternatively, you can use the command cat id_ed25519.pub to display the key in the terminal. The file known_hosts is a file that your computer creates to store private keys of other computers. It is used only to verify the authenticity of the other computer.

Short insert for information: If you reinstall your server, it will have generated a new key pair and you will receive the following warning message.

Bild: Warnmeldung „man-in-the-middle attack“

In this case, you can rest easy because you now know why the message appears: the key has changed when you reinstalled it. To fix it, simply delete the key from the known_hosts file, and then your computer will save the new key from the server during the next login. With the message it also shows you where the file is located. In this case in the folder path: C:\Users\axels\.ssh.

Moving on… Now, you can read the content of the public key id_ed25519.pub, highlight it, and copy it to the clipboard. Then paste the key into the authorized_keys file on your Lightning⚡Bank server using the command line:

mkdir ~/.ssh
nano ~/.ssh/authorized_keys

-> Paste the content of the public key id_ed25519.pub here and then press CTRL+X -> Y -> ENTER.

-> Now, you can test the key by logging out with the command exit and then logging back in. You will either be logged in automatically, or if you have set a password for the key, you will be prompted for the password to decrypt and then logged in.

Important: You need to save your keys for both the root and blitzbank users. Therefore, log in to both accounts once.

Note: If you press Enter during the login prompt with your encrypted key, you will be prompted with a second option to enter a password. Try it out!

5.2 Disable Password Login

If you have secure access with your SSH key, you can disable login via password. Before doing this, it’s best to set up a second computer as a backup in case you need emergency access. Alternatively, you can secure the private key id_rsa (on Windows). The public key is not critical, but the private key is.

To disable login via password:

sudo nano /etc/ssh/sshd_config

Set PasswordAuthentication to no:

PasswordAuthentication no

-> CTRL+X -> Y -> ENTER

Restart the SSH server:

sudo systemctl restart ssh

-> Log in again and skip the SSH key prompt by pressing ENTER. You should no longer see a password prompt. This now applies to all users.

5.3 Disable Login for Root User

The root user is a well-known target for attacks, so it’s advisable to disable login for it.

sudo nano /etc/ssh/sshd_config

PermitRootLogin no
# AllowUsers root

-> Either of these settings is sufficient.

-> CTRL+X -> Y -> ENTER

Restart the SSH server:

sudo systemctl restart ssh

-> Try logging in as the root user — this should now be disabled, and only the blitzbank user with an SSH key should work.

5.4 Customize Port Access (SSH Port 22 -> 1001)

You can freely choose the port number (1001) for the firewall:

sudo ufw allow 1001 comment 'OpenSSH new'
sudo nano /etc/ssh/sshd_config

Add a new line with the additional port:

Port 1001

-> CTRL+X -> Y -> ENTER

sudo systemctl restart ssh

Logout using exit and log in again with a slightly modified command:

ssh -p 1001 blitzbank@yourIPaddress

-> Note the -p 1001. The port clearance for 1001 is now available for all users.

Now close the standard port 22 in the firewall (ufw) with deny and check the status:

sudo ufw deny 22 comment 'OpenSSH'
sudo ufw status

Now disable port access in the SSH config:

sudo nano /etc/ssh/sshd_config

Comment out the line for port 22 with #:

# Port 22

CTRL+X -> Y -> ENTER

Restart once, exit and log in again to check the access, hoping that you didn’t lock yourself out. 😉

sudo systemctl restart ssh

With this, you have added a significant amount of security to the server. 💪 You have left only a small hidden door open. Keep the access and knowledge about it well protected.

Back to the Blitz⚡Bank page

Created with love 🧡 – Block 870210/ 872773

– Lightning ⚡ (er)leben –

Value 4 Value
axelhamburch@ereignishorizont.xyz