SSH (Secure Shell) is a widely used protocol for secure remote access to Linux servers. To enhance the security of your server, it is essential to implement best practices such as disabling root login, allowing SSH access only through key authentication, restricting access to specific IP addresses, and enabling two-factor authentication (2FA). This guide will walk you through the steps to achieve a secure SSH login on a Linux server using Google Authenticator for 2FA and IP restriction.
Disable root Login
Disabling root login is a fundamental security measure to prevent unauthorized access to the server. Follow the steps below:
1. Log in to the server via SSH.
2. Open the sshd_config file using the command:
sudo vi /etc/ssh/sshd_config
3. Find the line that says PermitRootLogin yes and change it to PermitRootLogin no
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no # no=disable , yes=enable
4. Save and close the file. To save the file press Esc and type :wq
5. Restart the SSH service.
sudo service sshd restart
Enable SSH Login Only Using SSH Key:
SSH key-based authentication is a more secure method than password authentication. Follow the steps below:
1. Log in to the server via SSH.
2. Open the sshd_config file using the command:
sudo vi /etc/ssh/sshd_config
3. Ensure that the following lines are present and uncommented. PubkeyAuthentication should be yes and PasswordAuthentication should be no
PubkeyAuthentication yes
PasswordAuthentication no
4. Save and close the file. To save the file press Esc and type :wq
5. Restart the SSH service:
sudo service sshd restart
Allow SSH Access from Specific IPs Only
Restricting SSH access to specific IP addresses adds an additional layer of security. Follow the steps below:
1. Log in to the server via SSH
2. Open the sshd_config file using the command:
sudo vi /etc/ssh/sshd_config
3. Add the line AllowUsers username@IP
to the file for each user you want to allow access from specific IPs.
Example:
AllowUsers sihabul@103.**.**.** siha8ul@103.**.**.**
4. Save and close the file. To save the file press Esc and type :wq
5. Restart the SSH service:
sudo service sshd restart
Enable 2FA on SSH using Google Authenticator
Two-factor authentication (2FA) adds an extra layer of security to SSH logins. Follow the steps below to set up 2FA using Google Authenticator:
Install required packages
sudo dnf install epel-release -y
sudo dnf install google-authenticator qrencode qrencode-libs -y
Configure SSH:
Open the sshd_config file
sudo vi /etc/ssh/sshd_config
Ensure the following lines are set to yes:
ChallengeResponseAuthentication yes
UsePAM yes
Add the line at the bottom of the file:
AuthenticationMethods publickey,keyboard-interactive
Configure PAM:
Open the sshd file:
sudo vi /etc/pam.d/sshd
Comment out the line auth substack password-auth by adding # before the line.
#%PAM-1.0
#auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
Add the line at the bottom of the file:
auth required pam_google_authenticator.so secret=${HOME}/.ssh/google_authenticator
Restart SSH
sudo service sshd restart
Run Google Authenticator
Generate a new secret key: google-authenticator -s
google-authenticator -s ~/.ssh/google_authenticator
Type y and press Enter
Do you want authentication tokens to be time-based (y/n) y
Scan the QR Code or Enter the setup key on your app and type the code
Your new secret key is: SSUM***********************
Enter code from app (-1 to skip): type the code here
Now save the emergency code
Code confirmed
Your emergency scratch codes are:
308*****
496*****
397*****
239*****
997*****
Type y and press Enter
Do you want me to update your "/home/siha8ul/.ssh/google_authenticator" file? (y/n) y
Type y and press Enter
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
Type y and press Enter
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
Type y and press Enter
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
2FA Setup Successful. No try to log in.
By following this guide, you have successfully implemented a secure SSH login on your Linux server. Disabling root login, using SSH key authentication, restricting access to specific IP addresses, and enabling 2FA with Google Authenticator significantly enhance the security of your server against unauthorized access.