2FA For Internet-Facing Hosts

Latest response

I've got a customer that's a bit uptight at the number of SSH probes they get in a given day (the number is actually low compared to other systems I've run over the years). They don't really have the ability to simply "deny by default" and maintain whitelists. While the google-authenticator PAM module is dead-easy to set up, the customer's users often don't have access to mobile devices or things like Yubikeys when they're connecting into the systems that are giving them heartburn. Is anyone using a 2FA solution that doesn't rely on either physical tokens or mobile-device soft-tokens?

Seems like, at this point, most of the my web searches say "Use the google-authenticator package from EPEL". While there seem to be some desktop soft-token apps, the free ones seem to mostly be mobile-only. Just curious what others are using and the setup-bar compared to Google Authenticator are.

Thomas Jones's picture
Log in to join the conversation

Responses

Jamie Bainbridge's picture Red Hat Guru 7257 points
30 January 2018 12:55 AM

I have to ask, if there's no token, how is it 2FA?

How about using fail2ban to block repeated failure attempts from probers?

How about SSH keys on users' machines and no password auth at all?

While this next suggestion is totally terrible security-by-obscurity, I find internet-facing SSH probes drop to almost nothing by using a non-standard SSH port. Just keep it below 1024 so only only a privileged user can listen on the port.

Thomas Jones's picture Guru Community Member 3711 points
30 January 2018 4:05 AM

Not "no token", just "no token that requires a possession of mobile device for delivery".

Key-base login, by itself, is no cure-all. If someone manages to gank your key, they can impersonate you much the same way if they can if they get regular credentials.

Fail2ban's value - absent the use of the recidive module - isn't appreciably better than using appropriate iptables rules.

Jamie Bainbridge's picture Red Hat Guru 7257 points
30 January 2018 4:32 AM

There's always separate hardware tokens. Not a USB YubiKey, but the little standalone device with the button and the old clock-like LCD display.

This does increase costs, as you need to supply everyone (or those who want them) with a $10~$15 hardware token, but it also meets your requirement of no phone/laptop.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.