The SSH service accounts for the largest number of password guessing attacks, you just started your server and after a few hours in the logs you can see connection attempts from unknown ip addresses. To reduce the number of attempts, we immediately recommend changing the port number in the sshd settings. Of course, you should specify a password of good complexity using letters, symbols and numbers, case sensitive. For linux servers, as a rule, you will need to remember 2 passwords, 1 for a normal user, the second for root. If there are several servers, then as a rule they resort to various applications that will store session settings (host, login and password), which is quite normal until an attacker gains access to your workstation. In any case, there are infected sites, software, etc. It turns out that you cannot be completely sure that this data is safe and available only to you. There is a solution for this case.
Two-factor authorization - an application on your phone is added to the login and password, which, depending on the time and a unique key, generates a question and a question answer in the form of numbers. After entering your login and password, you will be prompted to enter a verification code, which can be accessed in the application Google Authenticator.
Install the necessary packages
yum install pam pam-devel google-authenticator
Install mobile application
- Download for Android Devices
- Download for iOS Devices
- Download from Microsoft Store
Setting
By default, it is better to disable login from the user in the sshd settings, so if you have just started setting up a new server, create a user. set a password for it and log in with the command:
adduser username
passwd username
su username
Run the command from under the user for whom you are setting up two-factor authentication:
google-authenticator
Press "y" in the first message, where you will be asked if you want to update the ./google_authenticator file. When prompted to prevent multiple use, press "y" again to prevent another user from using your code. For the rest of the options, press 'y' as they all enhance the performance of this software.
Make sure you have copied the secret key and emergency recovery codes on a piece of paper. Keep this information offline, because even if someone finds this information, you still need to find out the host, login and password to enter.
Now let's configure PAM to apply all our settings to the SSH service, these actions already need to be done from the user root
vi /etc/pam.d/sshd
Add lines to the very beginning of the file so it looks like this:
#%PAM-1.0
auth required pam_unix.so no_warn try_first_pass
auth required pam_google_authenticator.so
The remaining lines that were in the file are left, they go below without changes. Let's save the file and move on to configuring the SSH service.
vi /etc/ssh/sshd_config
Find the "ChallengeResponseAuthentication no" parameter and change "no" to "yes". Save the changes and restart the service.
service sshd restart
Now set up the app on your mobile device. Find the option "manually enter the key" and click on it. Enter the secret key you wrote down earlier and save. Now a code will appear that you will need to enter in the Verification code field after entering the password.
Modifications:
- Changing the input sequence:
We specifically set the login - password sequence and then the verification code. If you want to enter the code from the application first and then the password, just remove the first line so that the file looks like this:
#%PAM-1.0
auth required pam_google_authenticator.so
- Two-factor authentication when logged in as root
For example, you want to log into the server as a normal user with a login and password, and when entering the su command - enter the root password and the code from the application. Run the ./google_authenticator application as root as you did before. Set up the mobile app with the new code and add to the file:
vi /etc/pam.d/su
в самое начало строки:
#%PAM-1.0
auth required pam_unix.so no_warn try_first_pass
auth required pam_google_authenticator.so
Done, the service does not need to be restarted. Now, when trying to log in as root, the command will require a verification code from the application.
P.S. We recommend that you check in another ssh session to avoid errors, you will have the opportunity to go back and fix it.