Update your system
It's critically important to keep your system up-to-date with the latest patches to prevent intruders from accessing your system.
sudo apt-get update -y && sudo apt dist-upgrade -y
sudo apt-get autoremove
sudo apt-get autoclean
Enable automatic updates so you don't have to manually install them
sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
System admins should not frequently log in as root in order to maintain server security. Instead, you can use sudo execute that require low-level privileges
# To disable the root account, simply use the -l option.
sudo passwd -l root
SSH, the secure shell, is often used to access remote Linux systems. Because we often use it to connect with computers containing important data, it’s recommended to add another security layer. Here comes the two factor authentication (2FA).
sudo apt install libpam-google-authenticator -y
To make SSH use the Google Authenticator PAM module, edit the
/etc/pam.d/sshd
file:sudo nano /etc/pam.d/sshd
Add the following line:
auth required pam_google_authenticator.so
Now you need to restart the
sshd
daemon using:sudo systemctl restart sshd.service
Modify
/etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config
Locate ChallengeResponseAuthentication and update to yes
ChallengeResponseAuthentication yes
Locate UsePAM and update to yes
UsePAM yes
Save the file and exit.
Run the google-authenticator command.
google-authenticator
It will ask you a series of questions, here is a recommended configuration:
- Make tokens “time-base”": yes
- Update the
.google_authenticator
file: yes - Disallow multiple uses: yes
- Increase the original generation time limit: no
- Enable rate-limiting: yes
You may have noticed the giant QR code that appeared during the process, underneath are your emergency scratch codes to be used if you don’t have access to your phone: write them down on paper and keep them in a safe place.
Now, open Google Authenticator on your phone and add your secret key to make two factor authentication work.
Note: If you are enabling 2FA on a remote machine that you access over SSH you need to follow steps 2 and 3 of this tutorial to make 2FA work.
Last modified 8mo ago