sshd 安全防护 google authenticator

GNULINUXRHEL Comments

VPS云服务器 安全加固

iptables持久化

1
2
3
iptables-save > /etc/sysconfig/iptables
vim /etc/rc.d/rc.local
iptables-restore < /etc/sysconfig/iptables

OTP:Google-authenticator on Linux

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
[root@VM-4-9-centos ~]# yum search google-authenticator
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
============================================ N/S matched: google-authenticator =============================================
google-authenticator.x86_64 : One-time pass-code support using open standards

  Name and summary matches only, use "search all" for everything.
[root@VM-4-9-centos ~]# yum info google-authenticator
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Available Packages
Name        : google-authenticator
Arch        : x86_64
Version     : 1.04
Release     : 1.el7
Size        : 48 k
Repo        : epel/7/x86_64
Summary     : One-time pass-code support using open standards
URL         : https://github.com/google/google-authenticator-libpam/
License     : ASL 2.0
Description : The Google Authenticator package contains a plug-able authentication
            : module (PAM) which allows login using one-time pass-codes conforming to
            : the open standards developed by the Initiative for Open Authentication
            : (OATH) (which is unrelated to OAuth).
            : 
            : Pass-code generators are available (separately) for several mobile
            : platforms.
            : 
            : These implementations support the HMAC-Based One-time Password (HOTP)
            : algorithm specified in RFC 4226 and the Time-based One-time Password
            : (TOTP) algorithm currently in draft.

[root@VM-4-9-centos ~]# yum install google-authenticator
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package google-authenticator.x86_64 0:1.04-1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================
 Package                                Arch                     Version                       Repository              Size
============================================================================================================================
Installing:
 google-authenticator                   x86_64                   1.04-1.el7                    epel                    48 k

Transaction Summary
============================================================================================================================
Install  1 Package

Total download size: 48 k
Installed size: 97 k
Is this ok [y/d/N]: y
Downloading packages:
google-authenticator-1.04-1.el7.x86_64.rpm                                                           |  48 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : google-authenticator-1.04-1.el7.x86_64                                                                   1/1 
  Verifying  : google-authenticator-1.04-1.el7.x86_64                                                                   1/1 

Installed:
  google-authenticator.x86_64 0:1.04-1.el7                                                                                  

Complete!
[root@VM-4-9-centos ~]# 
[root@VM-4-9-centos ~]# google-authenticator -h
google-authenticator [<options>]
 -h, --help                     Print this message
 -c, --counter-based            Set up counter-based (HOTP) verification
 -t, --time-based               Set up time-based (TOTP) verification
 -d, --disallow-reuse           Disallow reuse of previously used TOTP tokens
 -D, --allow-reuse              Allow reuse of previously used TOTP tokens
 -f, --force                    Write file without first confirming with user
 -l, --label=<label>            Override the default label in "otpauth://" URL
 -i, --issuer=<issuer>          Override the default issuer in "otpauth://" URL
 -q, --quiet                    Quiet mode
 -Q, --qr-mode={NONE,ANSI,UTF8} QRCode output mode
 -r, --rate-limit=N             Limit logins to N per every M seconds
 -R, --rate-time=M              Limit logins to N per every M seconds
 -u, --no-rate-limit            Disable rate-limiting
 -s, --secret=<file>            Specify a non-standard file location
 -S, --step-size=S              Set interval between token refreshes
 -w, --window-size=W            Set window of concurrently valid codes
 -W, --minimal-window           Disable window of concurrently valid codes
 -e, --emergency-codes=N        Number of emergency codes to generate
[root@VM-4-9-centos ~]# google-authenticator -e 2

Do you want authentication tokens to be time-based (y/n) y
...                                                                                       
这里是一个QRCode
...                                                                     
Your new secret key is: xxxxxxxxxxxxxxxxx
Your verification code is 869657
Your emergency scratch codes are:
  14481696
  53040810

Do you want me to update your "/root/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) n

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

[root@VM-4-9-centos ~]# rpm -ql `rpm -qf /bin/google-authenticator`
/usr/bin/google-authenticator
/usr/lib64/security/pam_google_authenticator.la
/usr/lib64/security/pam_google_authenticator.so
/usr/share/doc/google-authenticator-1.04
/usr/share/doc/google-authenticator-1.04/CONTRIBUTING.md
/usr/share/doc/google-authenticator/FILEFORMAT
/usr/share/doc/google-authenticator/README.md
/usr/share/doc/google-authenticator/totp.html
/usr/share/licenses/google-authenticator-1.04
/usr/share/licenses/google-authenticator-1.04/LICENSE
/usr/share/man/man1/google-authenticator.1.gz
/usr/share/man/man8/pam_google_authenticator.8.gz

如果无法在 /usr/lib64/security 发现此链接库,则做软链
[root@test ~]# ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so

[root@test ~]# vim /etc/pam.d/sshd 
auth       required pam_google_authenticator.so no_increment_hotp
[root@test ~]# vim /etc/ssh/sshd_config 
...
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
[root@test ~]# systemctl restart sshd

素丶素丶丶wodetian

忍一时越想越气,退一步越想越亏。