Posted January 19Jan 19 You are reading Part 32 of the 57-part series: Harden and Secure Linux Servers. [Level 4]This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.Two-Factor Authentication (2FA) adds an extra layer of security to SSH logins, requiring a second verification step (such as a push notification, SMS code, or phone call) before granting access. This significantly reduces the risk of:✅ Unauthorized logins from stolen credentials.✅ Brute-force SSH attacks.✅ Privilege escalation by attackers.Using Duo Security’s PAM module, you can implement strong 2FA authentication for SSH logins on your Linux server.How to Set Up Duo 2FA for SSH Logins1. Install the Duo PAM ModuleFor Debian/Ubuntu:sudo apt install libpam-duo -y For CentOS/RHEL:sudo yum install duo_unix -y 2. Create a Duo Security Account & Get API CredentialsSign up for Duo Security:Go to Duo Admin Panel.Register your server and generate the following API credentials:Integration KeySecret KeyAPI HostnameCopy these credentials, as they will be used in the configuration.3. Configure Duo PAM for SSH AuthenticationEdit the Duo configuration file:sudo nano /etc/duo/pam_duo.conf Add the following settings (replace with your Duo API credentials):[duo] ikey = YOUR_INTEGRATION_KEY skey = YOUR_SECRET_KEY host = YOUR_API_HOSTNAME pushinfo = yes autopush = yes failmode = secure ✅ ikey → Your Duo Integration Key✅ skey → Your Duo Secret Key✅ host → Your Duo API Hostname✅ autopush = yes → Automatically send a push notification✅ failmode = secure → If Duo is unavailable, deny access (set to safe to allow login if Duo fails)Save and exit the file.4. Enable Duo Authentication in SSHEdit the PAM SSH configuration file:sudo nano /etc/pam.d/sshd At the top of the file, add:auth required pam_duo.so (This ensures SSH logins require Duo authentication.)5. Modify SSH Configuration to Use DuoEdit the SSH daemon configuration:sudo nano /etc/ssh/sshd_config Ensure the following settings are set:UsePAM yes ChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactive Save and exit the file.6. Restart SSH to Apply Changessudo systemctl restart sshd 7. Test Duo 2FA for SSH LoginsFrom another terminal, try logging into your server:ssh username@your_server_ip Enter your password (if using password authentication).Receive a Duo push notification, SMS code, or phone call.Approve the request in your Duo Mobile app.If successful, you will be logged in.Additional Enhancements for Duo 2FA on SSH✅ Require Duo for sudo commands (Optional):sudo nano /etc/pam.d/sudo Add:auth required pam_duo.so (Users must verify 2FA before running sudo commands.)✅ Whitelist Trusted IPs to Skip 2FA:If you want to allow specific IP addresses to bypass 2FA, modify /etc/duo/pam_duo.conf:exempt_ip = 192.168.1.100/24 (Users from this subnet won't be prompted for 2FA.)✅ Enforce Key-Based Authentication + 2FA for Maximum Security:Modify /etc/ssh/sshd_config:PasswordAuthentication no AuthenticationMethods publickey,keyboard-interactive This ensures only SSH keys + Duo 2FA are allowed for logins.Best Practices for Duo 2FA on SSH🔹 Always test 2FA setup before closing your session to prevent being locked out.🔹 Require Duo 2FA for all privileged users (e.g., root, sudo users).🔹 Monitor SSH login attempts using logs:sudo cat /var/log/auth.log | grep sshd 🔹 Combine 2FA with other security layers (firewalls, fail2ban, intrusion detection).By implementing Duo 2FA for SSH, you add a powerful security layer that prevents unauthorized access and protects against brute-force attacks, making your Linux server much more secure.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.