Skip to content

Instantly share code, notes, and snippets.

@AntaeusNar

AntaeusNar/SSH2FA.MD

Last active June 19, 2023 21:10
Show Gist options
  • Save AntaeusNar/b8c81af9b166fa59ae8b8b9e7b4111d1 to your computer and use it in GitHub Desktop.
Save AntaeusNar/b8c81af9b166fa59ae8b8b9e7b4111d1 to your computer and use it in GitHub Desktop.
Download ZIP
Enabling SSH Key authentication with 2 Factor Authentication via Google Authenticator and Fail2Ban on Ubuntu 18.04
Raw
SSH2FA.MD

SSH Key with 2FA

  1. Add the client users's ssh-rsa pubilic key to the server user's ~/.ssh/authorized_keys file.

The rest of the this will be done on the server as the user that will be logged in with the key and 2fa.

  1. Install the Google Authenticator PAM helper

sudo apt update && sudo apt upgrade -y - Always a good idea to update everything before starting

sudo apt install libpam-google-authenticator - This is the module for PAM which allows for 2fa via google

google-authenticator - This runs the config for the 2fa, answer yes to all questions and then scan the barcode with the 2fa app on your mobile device.

  1. Update PAM

sudo vim /etc/pam.d/sshd

#Standard Un*x password updating.
#@include common-password
auth required pam_google_authenticator.so

This will stop PAM from asking for a password #@include common-password and the auth required pam_google_authenticator.so with require uses to have a 2fa token.

  1. Update SSH

sudo vim /etc/ssh/sshd_config

LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 1
PasswordAuthentication no
AllowUsers
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication yes
UsePam yes
AuthenticationMethods publickey, keyboard-interactive

Replace with the username of the server user that can login. The first 8 option make sure that root can't login over ssh, that only the usenames in AllowUsers can login and that everything is setup for SSH key login. Then the last three say to use PAM, which has the 2fa helping installed and configured, and then says to allow for interactive login with publickey.

sudo systemctl restart sshd.service - restarts the OpenSSH server daemon.

  1. Install and Config Fail2Ban

sudo apt install fail2ban -y

sudo vim /etc/fail2ban/jail.local

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
findtime = 3600
bantime = 300
maxretry = 2

[sshd-persistent] enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
bantime = 604800
findtime = 604800
maxretry = 19

sudo vim /etc/fail2ban/fail2ban.conf

edit dbpurgeage = 1d to read dbpurgeage = 8d

sudo systemctl enable fail2ban

sudo systemctl start fail2ban

  1. ????

  2. Profit

@docop
Copy link

docop commented Jun 16, 2023

Hi i never see the section : sshd-persistent. What is it used for ? Is that to block connection attempt with key ?
thanks for precision

@AntaeusNar
Copy link
Author

Hey @docop the sshd-persistent basically is the normal sshd jail but longer.
Basically if you moss the first could of tries sshd catches you and bans you for 5 mins, then if you come back and keep trying sshd-persistent bans you for 7 days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment