Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # SSH Key with 2FA
- 1. Add the client users's ssh-rsa pubilic key to the server user's ~/.ssh/authorized_keys file.
- #### The rest of the this will be done on the server as the user that will be logged in with the key and 2fa.
- 2. Install the Google Authenticator PAM helper
- `sudo apt update && sudo apt upgrade -y` - Always a good idea to update everything before starting
- `sudo apt install libpam-google-authenticator` - This is the module for PAM which allows for 2fa via google
- `google-authenticator` - This runs the config for the 2fa, answer yes to all questions and then scan the barcode with the 2fa app on your mobile device.
- 3. Update PAM
- `sudo vim /etc/pam.d/sshd`
- >#Standard Un*x password updating.
- >#@include common-password
- >auth required pam_google_authenticator.so
- This will stop PAM from asking for a password `#@include common-password` and the `auth required pam_google_authenticator.so` with require uses to have a 2fa token.
- 4. Update SSH
- `sudo vim /etc/ssh/sshd_config`
- >LoginGraceTime 2m
- >PermitRootLogin no
- >StrictModes yes
- >MaxAuthTries 1
- >PasswordAuthentication no
- >AllowUsers <username>
- >PubkeyAuthentication yes
- >AuthorizedKeysFile .ssh/authorized_keys
- >ChallengeResponseAuthentication yes
- >UsePam yes
- >AuthenticationMethods publickey, keyboard-interactive
- Replace <username> with the username of the server user that can login.
- The first 8 option make sure that root can't login over ssh, that only the usenames in AllowUsers can login and that everything is setup for SSH key login.
- Then the last three say to use PAM, which has the 2fa helping installed and configured, and then says to allow for interactive login with publickey.
- `sudo systemctl restart sshd.service` - restarts the OpenSSH server daemon.
- 5. Install and Config Fail2Ban
- `sudo apt install fail2ban -y`
- `sudo vim /etc/fail2ban/jail.local`
- >[sshd]
- >enabled = true
- >port = 22
- >filter = sshd
- >logpath = /var/log/auth.log
- >findtime = 3600
- >bantime = 300
- >maxretry = 2
- >
- >[sshd-persistent]
- >enabled = true
- >port = 22
- >filter = sshd
- >logpath = /var/log/auth.log
- >bantime = 604800
- >findtime = 604800
- >maxretry = 19
- `sudo vim /etc/fail2ban/fail2ban.conf`
- edit `dbpurgeage = 1d` to read `dbpurgeage = 8d`
- `sudo systemctl enable fail2ban`
- `sudo systemctl start fail2ban`
- 6. ????
- 7. Profit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement