Posted January 19Jan 19 You are reading Part 16 of the 57-part series: Harden and Secure Linux Servers. [Level 2]This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.1. Install Google Authenticator on Your Linux Server:sudo apt install libpam-google-authenticator -y # Debian/Ubuntu sudo yum install google-authenticator -y # CentOS/RHEL2. Configure MFA for Your User Account:Run the following command for the user account you want to secure:google-authenticator You will be prompted to answer setup questions (choose "yes" for time-based authentication).The system will generate a QR code and secret key.Scan the QR code with the Google Authenticator app (available for Android & iOS).Save the backup codes in case you lose access to your device.3. Enable MFA in SSH (Pluggable Authentication Module - PAM):Edit the PAM SSH configuration file:sudo nano /etc/pam.d/sshd Add the following line at the end of the file:auth required pam_google_authenticator.so Save and close the file.4. Configure SSH to Require MFA:Edit the SSH configuration file:sudo nano /etc/ssh/sshd_config Find and modify the following line:ChallengeResponseAuthentication yes Save and close the file.5. Restart SSH to Apply Changes:sudo systemctl restart sshd Testing MFAOpen a new terminal and try logging in via SSH:ssh username@your_server_ip After entering your password, you will be prompted for a verification code from the Google Authenticator app.✅ If the login succeeds after entering the MFA code, MFA is working correctly!Additional MFA Security Enhancements✅ Enforce MFA for sudo commands (Optional but recommended)sudo nano /etc/pam.d/sudo Add this line:auth required pam_google_authenticator.so (This requires an MFA code before executing sudo commands.)✅ Allow only specific users to use MFA for SSHInstead of requiring MFA for all users, limit it to specific users by using:Match User yourusername AuthenticationMethods publickey,password publickey,keyboard-interactive (Replace yourusername with the actual username.)✅ Use hardware-based MFA tokens (YubiKey, Duo Security, etc.)Instead of using Google Authenticator, consider Duo MFA or YubiKey for added security.Best Practices for MFA Security🔹 Ensure you have backup recovery codes in case you lose access to your device.🔹 Require MFA for all privileged accounts (root, sudo users, admin accounts).🔹 Monitor failed authentication attempts using:sudo cat /var/log/auth.log | grep "Failed" 🔹 Use MFA alongside key-based SSH authentication for maximum security.By enabling Multi-Factor Authentication (MFA), you add an extra level of protection to your Linux server, making it significantly harder for attackers to gain unauthorized access.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.