You are currently viewing Secure SSH Login with 2FA and IP Restriction in Linux

Secure SSH Login with 2FA and IP Restriction in Linux

SSH (Secure Shell) is a widely used protocol for secure remote access to Linux servers. To enhance the security of your server, it is essential to implement best practices such as disabling root login, allowing SSH access only through key authentication, restricting access to specific IP addresses, and enabling two-factor authentication (2FA). This guide will walk you through the steps to achieve a secure SSH login on a Linux server using Google Authenticator for 2FA and IP restriction.

Disable root Login

Disabling root login is a fundamental security measure to prevent unauthorized access to the server. Follow the steps below:

1. Log in to the server via SSH.

2. Open the sshd_config file using the command:

sudo vi /etc/ssh/sshd_config

3. Find the line that says PermitRootLogin yes and change it to PermitRootLogin no

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no # no=disable , yes=enable

4. Save and close the file. To save the file press Esc and type :wq

5. Restart the SSH service.

sudo service sshd restart

Enable SSH Login Only Using SSH Key:

SSH key-based authentication is a more secure method than password authentication. Follow the steps below:

1. Log in to the server via SSH.

2. Open the sshd_config file using the command:

sudo vi /etc/ssh/sshd_config

3. Ensure that the following lines are present and uncommented. PubkeyAuthentication should be yes and PasswordAuthentication should be no

PubkeyAuthentication yes
PasswordAuthentication no

4. Save and close the file. To save the file press Esc and type :wq

5. Restart the SSH service:

sudo service sshd restart

Allow SSH Access from Specific IPs Only

Restricting SSH access to specific IP addresses adds an additional layer of security. Follow the steps below:

1. Log in to the server via SSH

2. Open the sshd_config file using the command:

sudo vi /etc/ssh/sshd_config

3. Add the line AllowUsers username@IP to the file for each user you want to allow access from specific IPs.

Example:

AllowUsers sihabul@103.**.**.** siha8ul@103.**.**.**

4. Save and close the file. To save the file press Esc and type :wq

5. Restart the SSH service:

sudo service sshd restart

Enable 2FA on SSH using Google Authenticator

Two-factor authentication (2FA) adds an extra layer of security to SSH logins. Follow the steps below to set up 2FA using Google Authenticator:

Install required packages

sudo dnf install epel-release -y
sudo dnf install google-authenticator qrencode qrencode-libs -y

Configure SSH:

Open the sshd_config file

sudo vi /etc/ssh/sshd_config

Ensure the following lines are set to yes:

ChallengeResponseAuthentication yes
UsePAM yes

Add the line at the bottom of the file:

AuthenticationMethods publickey,keyboard-interactive

Configure PAM:

Open the sshd file:

sudo vi /etc/pam.d/sshd

Comment out the line auth substack password-auth by adding # before the line.

#%PAM-1.0
#auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth

Add the line at the bottom of the file:

auth required pam_google_authenticator.so secret=${HOME}/.ssh/google_authenticator

Restart SSH

sudo service sshd restart

Run Google Authenticator

Generate a new secret key: google-authenticator -s

google-authenticator -s ~/.ssh/google_authenticator

Type y and press Enter

Do you want authentication tokens to be time-based (y/n) y

Scan the QR Code or Enter the setup key on your app and type the code

Your new secret key is: SSUM***********************
Enter code from app (-1 to skip): type the code here

Now save the emergency code

Code confirmed
Your emergency scratch codes are:
  308*****
  496*****
  397*****
  239*****
  997*****

Type y and press Enter

Do you want me to update your "/home/siha8ul/.ssh/google_authenticator" file? (y/n) y

Type y and press Enter

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

Type y and press Enter

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y

Type y and press Enter

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

2FA Setup Successful. No try to log in.

By following this guide, you have successfully implemented a secure SSH login on your Linux server. Disabling root login, using SSH key authentication, restricting access to specific IP addresses, and enabling 2FA with Google Authenticator significantly enhance the security of your server against unauthorized access.

Leave a Reply