After changing your SSH port, configuring port knocking, and making other tweaks for SSH security, there is perhaps one more way that you can protect your server; using two-factor authentication. With two factor authentication (2FA), a person would require your mobile device to access your SSH server. This can be useful to protect against all brute forcing attacks, and unauthorized login attempts.
In this tutorial, I will explain how to configure 2FA on your CentOS 6 server with SSH and Google Authenticator.
The package "google-authenticator" exists in the default repository for CentOS. Run the following command as the root user to install it.
yum install pam pam-devel google-authenticator
Now that you have this installed on your server, you'll need to install the "Google Authenticator" app on your mobile device.
After you install that, keep your mobile device readily available, because we still need to configure 2FA.
First, login via SSH as the user you wish to secure.
Execute the following command:
Hit "y" at the first message, where it asks you if you would like to update the
./google_authenticator file. When it prompts you to disallow multiple uses, hit "y" again so that another user can't use your code. For the rest of the options, hit "y", as they all improve the effectiveness of this software.
Great! Make sure you copy down the secret key, and the emergency scratch codes on a piece of paper.
Now, we need to configure PAM to use 2FA.
For this article, I'll be using nano as the preferred text editor. Execute the following command as root.
Add the following line to the top of the file.
auth required pam_google_authenticator.so
Save, then close the editor.
Next, configure the SSH daemon to use 2FA.
Find the line that resembles "ChallengeResponseAuthentication no", and change "no" to "yes".
Restart the SSH server:
service sshd restart
To configure this software, we need to add the secret key into it. Find the "manually enter key" option, and tap that. Input the secret key you wrote down earlier, and save. A code will now pop up, and will refresh every so often. You'll need this to logon to the SSH server from now on.
The purpose of two factor authentication is to improve the security of your server. Since no one else will have access to your mobile device, they won't be able to figure out the code to login to your server.