Transparency Note
This article was generated with the assistance of AI and carefully reviewed, edited, and validated by the author.
Running a miner in the Bittensor ecosystem is exciting — you’re literally participating in a global, decentralized intelligence market. But there’s a harsh reality that many subnet operators are now facing:
👉 Your Axon endpoint is exposed to the entire internet.
👉 And yes — it will get attacked.
In this post, I’ll show you a simple, practical, and effective way to protect your miner using ufw (Uncomplicated Firewall).
No complex infrastructure. No expensive services. Just a clean idea:
Only allow validators. Block everyone else.
⚠️ The Problem
If you’re running a miner, your Axon is public.
That means:
- Anyone can send requests to your port
- Bots can spam your endpoint
- Attackers can flood your node (DDoS)
And recently, this has been happening across multiple subnets.
The key insight is:
❌ You don’t need the whole internet
✅ You only need validators
💡 The Solution (In One Sentence)
Whitelist validator IPs. Deny everything else.
🔧 Why UFW?
I chose ufw because it’s:
- Simple
- Already installed on most servers
- Built on top of iptables (so it’s powerful)
- Easy to audit and maintain
🚀 Step-by-Step Setup
1. Install UFW
sudo apt update
sudo apt install ufw -y
2. Set Default Rules
Block all incoming traffic by default:
sudo ufw default deny incoming
sudo ufw default allow outgoing
3. Don’t Lock Yourself Out (Allow SSH!)
sudo ufw allow ssh
4. Allow Only Validators
Let’s say your Axon runs on port 8091.
sudo ufw allow from <VALIDATOR_IP> to any port 8091
Repeat this for each validator in your subnet.
5. Enable Firewall
sudo ufw enable
sudo ufw status
🧠 The Gotcha (Important!)
This is where most people mess up:
Validator IPs are NOT static.
Validators can:
- Move to a new machine
- Change cloud providers
- Rotate IPs
If you hardcode IPs and forget about it:
💥 Your miner stops receiving requests
💥 Your performance drops
💥 Your rewards go down
🔄 How to Handle Validator Changes
Here are a few practical strategies:
Option 1 — Manual Updates
- Check validator IPs periodically
- Update UFW rules when needed
Option 2 — Automate It (Recommended)
Basic idea:
# Pseudo logic
1. Fetch validator list (metagraph)
2. Extract IPs
3. Compare with UFW rules
4. Update rules automatically
Run this every few minutes with cron.
⚖️ Trade-offs
| Setup | Security | Reliability |
|---|---|---|
| Open Axon | ❌ Low | ✅ High |
| Strict Whitelist | ✅ High | ⚠️ Medium |
| Automated Whitelist | ✅ High | ✅ High |
🧭 Bigger Picture (Why This Matters)
Bittensor is designed as an open and permissionless system.
That’s powerful — but it also means:
Security is your responsibility.
The protocol defines incentives.
But you define your infrastructure.
✅ Final Takeaway
You don’t need enterprise-grade defenses to survive DDoS.
Sometimes the best solution is the simplest:
Only accept traffic from participants who matter.
Happy Mining - James4u
Transparency Note
This article was generated with the assistance of AI and carefully reviewed, edited, and validated by the author.
Top comments (0)