1080*80 ad
Home » Blog » Securing SSH with Two-Factor Authentication on Linux

Securing SSH with Two-Factor Authentication on Linux

Benhcmark Administrator Benhcmark Administrator
23/07/2025
2 Views 0
Securing SSH with Two-Factor Authentication on Linux

Supercharge Your Linux Server Security: Hardening SSH with Two-Factor Authentication

In today’s threat landscape, relying solely on passwords for SSH access is a gamble you can’t afford to take. Two-Factor Authentication (2FA) adds a crucial layer of security, making it significantly harder for malicious actors to gain unauthorized access to your Linux servers. This guide will walk you through hardening your SSH configuration by implementing 2FA, dramatically improving your server’s defenses.

Why is 2FA Essential for SSH?

Even with strong passwords, your server is vulnerable to brute-force attacks, password leaks, and phishing scams. 2FA mitigates these risks by requiring a second, time-sensitive verification code, typically generated by an app on your smartphone or a hardware security key. Even if an attacker obtains your password, they won’t be able to log in without this second factor.

Implementing 2FA with Google Authenticator

A popular and convenient method for enabling 2FA on Linux is using Google Authenticator. Here’s a step-by-step process:

  1. Install the Necessary Packages: Begin by installing the Google Authenticator PAM module. On Debian/Ubuntu systems, use sudo apt update && sudo apt install libpam-google-authenticator. On CentOS/RHEL, use sudo yum install google-authenticator.

  2. Configure Google Authenticator: Run the google-authenticator command as the user you want to protect. This will generate a QR code and recovery codes. Scan the QR code with the Google Authenticator app (available on iOS and Android). Store the recovery codes in a secure location; you’ll need them if you lose access to your phone. Answer the configuration questions carefully, considering your security needs. For example, disabling rate-limiting might seem convenient, but it weakens your defenses.

  3. Configure SSH to Use PAM: Edit the /etc/pam.d/sshd file. Add the line auth required pam_google_authenticator.so nullok before the line that reads auth include system-auth. The nullok option allows users without 2FA configured to still log in with a password only; remove it to require 2FA for all users.

  4. Adjust SSH Configuration: Edit the /etc/ssh/sshd_config file. Ensure that ChallengeResponseAuthentication is set to yes and PasswordAuthentication is set to yes. While we’re enabling 2FA, disabling password authentication completely after verifying 2FA is working correctly provides an even stronger security posture. This forces users to rely solely on key-based authentication and 2FA. To do this, change PasswordAuthentication to no after you’ve confirmed 2FA is functional.

  5. Restart the SSH Service: Apply the changes by restarting the SSH service: sudo systemctl restart sshd (or sudo service sshd restart on older systems).

Testing Your Configuration

Before disabling password authentication entirely, test your 2FA setup thoroughly. Attempt to SSH into your server. You should now be prompted for both your password and the Google Authenticator code. If everything works as expected, you can proceed to further harden your SSH configuration.

Enhancing Security Further

  • Disable Password Authentication (After Testing): As mentioned above, setting PasswordAuthentication to no in /etc/ssh/sshd_config drastically reduces the attack surface. This forces users to use key-based authentication in conjunction with 2FA.
  • Use Key-Based Authentication: Generate SSH key pairs and disable password authentication for a more secure login process.
  • Limit SSH Access by IP Address: Use firewall rules (iptables or UFW) to restrict SSH access to specific IP addresses or networks. This reduces the risk of brute-force attacks from unknown sources.
  • Change the Default SSH Port: While not a foolproof measure, changing the default SSH port (22) can deter automated attacks that target the standard port. Choose a port number above 1024. Remember to adjust your firewall rules accordingly.
  • Regularly Update Your System: Keeping your Linux system and SSH packages up-to-date is crucial for patching security vulnerabilities.

Staying Secure

Implementing 2FA for SSH is a significant step toward securing your Linux servers. By combining it with other security best practices, like key-based authentication and regular system updates, you can significantly reduce your risk of unauthorized access and data breaches. Take action today to protect your valuable data and infrastructure.

Source: https://www.tecmint.com/ssh-two-factor-authentication/

900*80 ad

Related Articles
      1080*80 ad
      About Hosterdojo

      Hosterdojo reviews server performance, network capabilities, and other related benchmarks. If you are a provider interested in submitting your VPS products, feel free to reach out to me.

      Email: [email protected]
      Telegram Channel: https://t.me/hosterdojo

      Follow

      Useful Link

      Girl in a jacket