Update your system
It's critically important to keep your system up-to-date with the latest patches to prevent intruders from accessing your system.
sudo apt-get update -y && sudo apt dist-upgrade -y
sudo apt-get autoremove
sudo apt-get autoclean
Enable automatic updates so you don't have to manually install them
sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
System admins should not frequently log in as root in order to maintain server security. Instead, you can use sudo execute that require low-level privileges
# To disable the root account, simply use the -l option.
sudo passwd -l root
SSH, the secure shell, is often used to access remote Linux systems. Because we often use it to connect with computers containing important data, it’s recommended to add another security layer. Here comes the two factor authentication (2FA).
sudo apt install libpam-google-authenticator -y
To make SSH use the Google Authenticator PAM module, edit the
sudo nano /etc/pam.d/sshd
Add the following line:
auth required pam_google_authenticator.so
Now you need to restart the
sudo systemctl restart sshd.service
sudo nano /etc/ssh/sshd_config
Locate ChallengeResponseAuthentication and update to yes
Locate UsePAM and update to yes
Save the file and exit.
Run the google-authenticator command.
It will ask you a series of questions, here is a recommended configuration:
- Make tokens “time-base”": yes
- Update the
- Disallow multiple uses: yes
- Increase the original generation time limit: no
- Enable rate-limiting: yes
You may have noticed the giant QR code that appeared during the process, underneath are your emergency scratch codes to be used if you don’t have access to your phone: write them down on paper and keep them in a safe place.
Now, open Google Authenticator on your phone and add your secret key to make two factor authentication work.
Note: If you are enabling 2FA on a remote machine that you access over SSH you need to follow steps 2 and 3 of this tutorial to make 2FA work.