This is part 8 of a series of posts on server security from Inversoft's 2016 Guide to User Data Security.
Since we are going for über security, let's get crazy and add one more layer of authentication to your remote access. Add two-factor authentication to the server; this will require users to type in a 6-digit code from their mobile phone in order to log in. Even if a user's private key is compromised, two-factor authentication ensures a hacker would still need the user's mobile phone to log into the server.
First, you will need to install a two-factor app on your smartphone. There are many two-factor applications available for iOS and Android. Next, install the Google Authenticator two-factor PAM module on the server by executing this command in the root user terminal:
$ apt-get install libpam-google-authenticator
Edit the PAM configuration file for SSH like this:
$ nano /etc/pam.d/sshd
Add this line to the top of the file:
auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok
Save this file and then open the SSH configuration file like this:
$ nano /etc/ssh/sshd_config
Find and modify or add the configuration parameters below:
ChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactive
Before enabling this module for a user, install the network time system so that the server's clock is updated and consistent with the atomic clock. Since the two-factor authentication system uses a time-based algorithm, this will ensure that the server clock remains in sync with your smartphone. To install this package, type this command:
$ apt-get install ntp
Now restart the SSH service to pick up these changes like this:
$ service ssh restart
Finally, log into the ordinary user account and execute this command to enable two-factor authentication:
$ google-authenticator -l 'your-username@Application Server'
This will display a QRCode that you can scan from the two-factor authentication app on your smartphone. It will also ask you additional questions to determine how you want to handle time-skew and brute force login attempts. Additionally, there will be 5 emergency scratch codes generated for your account. You should write these down in a secure location such as iCloud Secure Notes.
Before logging out of this terminal, open a new terminal window and verify that you can still log in to the ordinary user account with your SSH key and the two-factor code from your smartphone. If you ever have problems logging in, you can use one of the scratch codes that you saved off above. This will grant you access to your account and allow you to fix the two-factor authentication issue.
If you install the two-factor authentication as described above and a user doesn't enable it for their account, everything will still work fine. They will be able to log in using just their SSH key.
Find our Github project here: https://github.com/inversoft/2016-security-scripts. This project contains a set of scripts you can execute from your local computer to secure a remote server.