I find it very useful to have Raspberry Pi’s at mine and other family members house (different ISP’s) to preform various traceroute, latency and iperf tests. Rather than running full OpenVPN clients, I opted for exposing them using port-forwarding to the internet.

This poses a significant security issue as SSH is a port which can be misused and attacked. So, not only did I opt to run it on an obscure port but I also enabled MFA.

There is a great article about STO: Security Through Obscurity – Is it really a bad practice? (securitytrails.com)

MFA using Google’s Authenticator PAM module is really easy to setup.

apt install libpam-google-authenticator

vi /etc/pam.d/sshd
auth required pam_google_authenticator.so nullok

vi /etc/ssh/sshd_config
ChallengeResponseAuthentication Yes

A neat trick for changing the order of when the security token is requested; before the users password, place the line in /etc/pam.d/sshd at the top or if you want it after, place it at the bottom.

In addition, I also set the LoginGraceTime to 10 seconds, this closes the login connection if details aren’t entered within the provided time and because I use UFW, I set a rate limit. ufw limit ssh will block connection if more than 6 occur within 30 seconds.

The last part is to setup MFA with an app, SSH as the desired user (not as su or with sudo -s) and run google-authenticator following onscreen prompts.

Want to use the same MFA account on multiple servers? Just copy the file /home/user/.google_authenticator to the other Pi.

---

• Linux, Security
• mfa, raspberry-pi, ubuntu
• 31 March, 2020

Share via Twitter LinkedIn Facebook Email