Update README.md with security hardening instructions

[MrBlockchain22]

These steps should increase our network posture by deploying nodes that are secured and are using best practices to deploy servers. I want to give credit to @s4njk4n for his contribution to the steps added here.

Summary by CodeRabbit

• Documentation
  • Added comprehensive server hardening guide covering SSH configuration, firewall setup, and network security best practices.
  • Updated masternode setup instructions with improved security recommendations, including hardware wallet usage and keyphrases management guidance.

[gzliudan]

We should simplify the README.md, such as:

# Document

## How to
- [Setup XinFin Masternode](./docs/setup.md)
- [Securing Your XDC Network Node](./docs/secure.md)

## Troubleshooting

Public discussions on the technical issues, post articles and request for Enhancements and Technical Contributions.

- [Discord](https://discord.com/invite/KZdD6pkFxp)
- [Telegram](https://t.me/xinfintalk)
- [Reddit](https://www.reddit.com/r/xinfin/)
- [GitHub](https://github.com/XinFinorg)
- [XinFin FAQs](https://howto.xinfin.org/general/faq/)

[MrBlockchain22]

We should simplify the README.md, such as:

# Document

## How to
- [Setup XinFin Masternode](./docs/setup.md)
- [Securing Your XDC Network Node](./docs/secure.md)

## Troubleshooting

Public discussions on the technical issues, post articles and request for Enhancements and Technical Contributions.

- [Discord](https://discord.com/invite/KZdD6pkFxp)
- [Telegram](https://t.me/xinfintalk)
- [Reddit](https://www.reddit.com/r/xinfin/)
- [GitHub](https://github.com/XinFinorg)
- [XinFin FAQs](https://howto.xinfin.org/general/faq/)

I like this idea of simplifying the README.md file and pointing to our documents as suggested. I will work on adding the secure your node section to the docs. That way we can point to it from the README.md.

[coderabbitai]

📝 Walkthrough

Walkthrough

The README has been expanded with comprehensive server hardening guidance and improved wallet security recommendations. A new "Securing Your XDC Network Node" section covers system updates, SSH configuration, firewall setup, and connectivity testing. The "Method 1" masternode instructions now recommend hardware wallets and keyphrases over keystores, with updated loss/compromise consequences and revised hosting setup guidance.

Changes

Cohort / File(s)

Summary

Documentation Enhancement README.md

Added new "Securing Your XDC Network Node" section with package updates, SSH key-based authentication, password login disabling, port lockdown, UFW firewall configuration, and connectivity testing. Updated "Method 1" masternode instructions to recommend hardware wallets instead of keystores, changed key handling from "keystore files" to "keyphrases," updated loss consequence language, and revised masternode login workflow.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A rabbit hops through README's pages,
Securing networks through the ages,
With hardware wallets standing tall,
And firewalls protecting all! 🛡️
Our burrow strong, our nodes secure—
This hardening guide will long endure! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main change: adding security hardening instructions to README.md.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can disable the changed files summary in the walkthrough.

Disable the reviews.changed_files_summary setting to disable the changed files summary in the walkthrough.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

README.md (1)

242-242: Clarify masternode hosting step wording.

Line 242 (“log in to your wallet and login the Masternode”) is ambiguous and can confuse first-time operators.

Suggested wording

-* For hosting the Masternode, you need to log in to your wallet and login the Masternode.
+* To host the Masternode, log in to your wallet first, then complete the Masternode login/activation flow in the installer.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` at line 242, The sentence "log in to your wallet and login the
Masternode" is ambiguous; update the README line to clearer, stepwise wording
such as "Access and unlock your wallet, then enable/start the Masternode (e.g.,
via the wallet's 'Start Masternode' or 'Enable Masternode' option) and confirm
the node is running," replacing the original phrase so first-time operators
understand they must open/unlock the wallet and explicitly start/enable the
masternode.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@README.md`:
- Around line 63-65: The three fenced code blocks containing the SSH snippets
("PasswordAuthentication no", "#Port 22", and "Port 2222") are missing language
identifiers; update each opening triple-backtick to include a language (use
"text" for plain SSH/config examples) so they read e.g. ```text before the
blocks to satisfy markdownlint MD040 and ensure correct linting for those
snippets.
- Line 230: Fix the typo in the README sentence by replacing “Always write your
a backup or keyphrases and do not store them online.” with a clear instruction
such as “Always write down your backup or keyphrases and do not store them
online.”; ensure the corrected sentence appears exactly where the current line
230 text is located so the key-management guidance reads clearly and
grammatically correct.
- Around line 179-186: Update the README section "RPC Node Exception" to stop
recommending hardcoded ports 8888/8989 and instead reference the RPC and WS port
environment variables used at runtime (RPC_PORT and WS_PORT), mention the
defaults 8545/8546, and instruct readers to run ufw allow <RPC_PORT>/tcp and ufw
allow <WS_PORT>/tcp (or substitute their custom values); align this with the
runtime flags in mainnet/start-node.sh (--rpcport "${RPC_PORT}" and --wsport
"${WS_PORT}").

---

Nitpick comments:
In `@README.md`:
- Line 242: The sentence "log in to your wallet and login the Masternode" is
ambiguous; update the README line to clearer, stepwise wording such as "Access
and unlock your wallet, then enable/start the Masternode (e.g., via the wallet's
'Start Masternode' or 'Enable Masternode' option) and confirm the node is
running," replacing the original phrase so first-time operators understand they
must open/unlock the wallet and explicitly start/enable the masternode.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e3f7f29c-a765-47eb-a86b-fb07ef977743

📥 Commits

Reviewing files that changed from the base of the PR and between b3547fd and 074abb5.

📒 Files selected for processing (1)

• README.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add language identifiers to fenced code blocks (markdownlint MD040).

At Line 63, Line 98, and Line 104, fenced blocks are missing a language. This is already flagged by static analysis.

Suggested docs fix

-```
+```text
 PasswordAuthentication no

@@

• `#Port` 22
  

@@

• Port 2222
  

</details>


Also applies to: 98-100, 104-106

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.21.0)</summary>

[warning] 63-63: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @README.md around lines 63 - 65, The three fenced code blocks containing the
SSH snippets ("PasswordAuthentication no", "#Port 22", and "Port 2222") are
missing language identifiers; update each opening triple-backtick to include a
language (use "text" for plain SSH/config examples) so they read e.g. ```text
before the blocks to satisfy markdownlint MD040 and ensure correct linting for
those snippets.

</details>

<!-- fingerprinting:phantom:triton:hawk -->

<!-- This is an auto-generated comment by CodeRabbit -->

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Use RPC/WS ports from .env instead of hardcoded 8888/8989.

Lines 181-186 conflict with this same README (Line 404/Line 412 defaults 8545/8546) and with runtime config in mainnet/start-node.sh (--rpcport "${RPC_PORT}", --wsport "${WS_PORT}"). Hardcoding 8888/8989 can lead to inaccessible RPC/WS after firewall lockdown.

Suggested docs fix

 ### RPC Node Exception
 
-If you are deploying an RPC node (e.g., for public dApp or API access), you must also allow the following ports:
+If you are deploying an RPC node (e.g., for public dApp or API access), allow your configured RPC/WebSocket ports from `.env`.
+By default these are `8545` (RPC) and `8546` (WS):
 
 ```bash
-sudo ufw allow 8888
-sudo ufw allow 8989
+sudo ufw allow 8545/tcp
+sudo ufw allow 8546/tcp

+If you changed RPC_PORT / WS_PORT, allow those values instead.

</details>

<!-- suggestion_start -->

<details>
<summary>📝 Committable suggestion</summary>

> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

```suggestion
### RPC Node Exception

If you are deploying an RPC node (e.g., for public dApp or API access), allow your configured RPC/WebSocket ports from `.env`.
By default these are `8545` (RPC) and `8546` (WS):

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 179 - 186, Update the README section "RPC Node
Exception" to stop recommending hardcoded ports 8888/8989 and instead reference
the RPC and WS port environment variables used at runtime (RPC_PORT and
WS_PORT), mention the defaults 8545/8546, and instruct readers to run ufw allow
<RPC_PORT>/tcp and ufw allow <WS_PORT>/tcp (or substitute their custom values);
align this with the runtime flags in mainnet/start-node.sh (--rpcport
"${RPC_PORT}" and --wsport "${WS_PORT}").

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix typo in backup instruction.

Line 230 currently says “Always write your a backup…”, which is grammatically incorrect and unclear for a critical key-management step.

Suggested wording

-* **Always write your a backup or keyphrases and do not store them online.**
+* **Always write down a backup of your keyphrases and do not store them online.**

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	* **Always write your a backup or keyphrases and do not store them online.**
	* **Always write down a backup of your keyphrases and do not store them online.**

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` at line 230, Fix the typo in the README sentence by replacing
“Always write your a backup or keyphrases and do not store them online.” with a
clear instruction such as “Always write down your backup or keyphrases and do
not store them online.”; ensure the corrected sentence appears exactly where the
current line 230 text is located so the key-management guidance reads clearly
and grammatically correct.