Use Google Authenticator to enhance the security of VPS, WordPress, and even desktop computers

Traditionally, when using SSH to log on to VPS, you only rely on a string of characters. If the password is leaked, guessed, or violently enumerated, then the VPS is completely exposed to the bad guys. Users with high security awareness will use public and private keys instead of characters to log on. However, the disadvantage is that if you want to temporarily log on to a computer without a private key, you will not be able to log on. Traditionally, when logging on to WordPress, there is only one password. If it is leaked, guessed, or brute-force enumeration, the blog that has worked so hard will be finished. This article describes how to use Google Authenticator to build a "physical barrier" to block password attacks from the network to the maximum extent. This document assumes that you have learned how Google Authenticator works. I. Preface

Although it was taught from an early age that the operating system must have a strong password, in fact, when I was a child, most of the Pirated Windows that were disabled by default by "Remote Desktop Connection" were used, internet access at home is always behind the vro and there is no independent public IP address. Therefore, even if the computer is set to an empty password, there is no major problem.

Later, when I went to college, the network environment also changed: when surfing the internet in the dormitory, the computer could be assigned an independent public IP address, and can be directly connected from the external network (or even run Apache), and my Xubuntu has installed OpenSSH Server, so the password is very important at this time. If the password is not strong enough, others canAnywhere on the InternetUse SSH to completely control my computer. This is terrible.

Although not all computers have public IP addresses that can be easily connected from the Internet, it is clear that VPS has public IP addresses. I didn't realize how fragile VPS was before, but one day it suddenly came to light:If the root password of VPS is leaked, guessed, or brute force enumerated, anyone can usessh root@wzyboy.imTo completely control my website!

It is strange to think of this before it is so late, but fortunately, there is no "dead sheep" at present, so hurry up and fix it. I personally like Google Authenticator, a two-step verification tool, so I combined it with Google Authenticator to submit this simple but secure tutorial. The default environment in this tutorial is:

• The server is a 11.04 mib ram lamp vps with Ubuntu amd64.
• The client is a notebook with Xubuntu 11.10 amd64.
• The validators are HTC Desire Z (Vision) with Google Authenticator for Android ).

Ii. Use Google Authenticator to enhance SSH login security and install related PMA modules

First, installlibpam-google-authenticatorThis package. This package is included in official sources of Ubuntu 11.10 and later.sudo apt-get install libpam-google-authenticatorCommand to automatically resolve the dependency and install it. However, if it is more than 11.10 or other releases, you must compile and install it yourself. Enter the following commands:

Sudo apt-get install libpam0g-dev libqrencode3 # This is the two packages it depends on, most of the releases. Git clone https://code.google.com/p/google-authenticator/ # download source code cd google-authenticator/libpam/make install # compile and install

If you do not want to compile Ubuntu 11.10 or lower (for example, VPS is 11.04), there are actually some ways to be lazy, it is charged directly with the 11.10 Binary Package compiled in the official source. This is not requiredlibpam0g-devThis package is ready, just use the following command:

Sudo apt-get install libqrencode3 # this package is still the wget http://us.archive.ubuntu.com/ubuntu/pool/universe/g/google-authenticator/libpam-google-authenticator_20110413.68230188bdc7-1ubuntu1_amd64.deb # download the Binary Package, if it is a 32-bit operating system, please replace amd64 with i386sudo dpkg-I libpam-google-authenticator_20110413.68230188bdc7-1ubuntu1_amd64.deb # Install it

Configure Google Authenticator

The server of Google Authenticator has been installed. What about the client? For Android users, click here to install the SDK. for iOS users, click here to install the SDK. For other smartphone users, there are also open-source solutions. Please search and download the SDK by yourself. Non-smartphone users have no solutions for the moment. :-(However, you must have used Google Authenticator before reading this article?

Google Authenticator is actually an open-source solution, so it can be used not only on Google's website, but also elsewhere. However, on Google's website, a QR code will be directly sent to you for scanning, and Google Authenticator configured by yourself will be generated by yourself.

First, you need to switch to the corresponding user. If there is only one user in the VPS, you can skip this step. However, the VPS of multiple users needs to be switched to the corresponding user before runninggoogle-authenticatorCommand. The result is similar to the following:

This QR code is naturally scanned by the Google Authenticator application. You can also visit the link above and use the QR code generated by the Google Chart API for scanning. You can also manually enter the text key following the QR code. After Google Authenticator recognizes this account, the validator is configured. Several emergency codes are provided under the text key, which can be properly kept if the mobile phone is lost.

At this time, although Google Authenticator is running, but the relevant settings have not been saved, the program will ask youDo you want me to update your "~/.google_authenticator" file (y/n)(Whether to write the configuration to the configuration file in the home directory), of course, answery. I will ask again

Do you want to disallow multiple uses of the same authenticationtoken? This restricts you to one login about every 30s, but it increasesyour chances to notice or even prevent man-in-the-middle attacks (y/n)

Whether or not to prohibit multiple use of a password is also a natural answery. The next question is

By default, tokens are good for 30 seconds and in order to compensate forpossible time-skew between the client and the server, we allow an extratoken before and after the current time. If you experience problems with poortime synchronization, you can increase the window from its defaultsize of 1:30min to about 4min. Do you want to do so (y/n)

The question is whether to enable time tolerance to prevent authentication failure due to time difference between the client and the server. This can be based on the actual situation. My Android device is very accurate (synchronized with the network), so answernIf some Android tablets do not connect to the Internet, answeryTo prevent authentication failure due to time errors. Another problem is that

If the computer that you are logging into isn't hardened against brute-forcelogin attempts, you can enable rate-limiting for the authentication module.By default, this limits attackers to no more than 3 login attempts every 30s.Do you want to enable rate-limiting (y/n)

Choose whether to enable the limit on the number of attempts (to prevent brute force attacks ).y.

After answering the question, the home directory contains one more.google_authenticatorFile (the default permission is400In this case, the client and the server are ready for use and do not need to run again later.google-authenticatorCommand. Otherwise, a new set of passwords will be generated.

Configure SSH Authentication

Although Google Authenticator has been configured, no program will call it. Therefore, you need to set up SSH to log on through it for verification.

Open/etc/pam.d/sshdFile, add

auth required pam_google_authenticator.so

Save this line. Open again/etc/ssh/sshd_configFile, find

ChallengeResponseAuthentication no

Change it

ChallengeResponseAuthentication yes

And save. Finally, enter

sudo service ssh restart

To restart the SSH service to apply new configurations.

At this time, SSH Login will be like this:

Wzyboy @ vermilion :~ $ Ssh root @ natatioPassword: [enter the password] Verification code: [enter the Verification code] Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-generic x86_64)

So it succeeded.

Of course, if you often need to log on to SSH, it is not too troublesome to input such information each time. Fortunately, this additional authentication step can be used together with the previous public/private key authentication. Therefore, you can perform public/private key authentication on your desktop:

Ssh-keygen # generate a key pair, all the way to press enter, has been generated without generating the ssh-copy-id root@example.org # Add the public key to VPS

In this way, when you SSH to VPS on your computer, you do not need to enter any password and can directly connect to it, when you need to manage VPS on a strange computer, you need to enter the account password and the Google Authenticator verification code. The bad guys who want to attack your VPS from the Internet, even if they guess and give up the VPS password, because they do not have the Google Authenticator verification code on their mobile phones, there is no way to do it ......

3. Use Google Authenticator to enhance WordPress Security

Google Authenticator protects SSH logon, but no programs run on the server, such as WordPress. Compared with MySQL vulnerability attacks and other difficult operations, I think WordPress is more likely to be cracked: after all, there is only one short password to protect. Fortunately, because WordPress is a "great deal of goods", there are a lot of people using it, and there are naturally a lot of plug-ins. Someone has developed the Google Authenticator plug-in for WordPress. You can use the following method to enable the Service:

1. Search for and install the Google Authenticator plug-in the WordPress background to enable it.
2. Personal on the WordPress backgroundProfilePageGoogle Authenticator SettingsSelectActive, Fill inDescription(Just the name displayed on the phone), clickShow/Hide QR Code.
3. Scan the QR code in the Google Authenticator application to add an account, or manually enterSecretAlso.

After the configuration is successful, it will be like this when you log on to the WordPress Background:

If you do not enter the correct Google Authenticator code, you cannot log on. Of course, you can selectRemember MeTo reduce the trouble.

4. How can I use Google Authenticator to enhance Desktop Security?

The second section describes how to use Authenticator in VPS to enhance the security of SSH logon. Naturally, Authenticator can also be used on a desktop computer installed with GNU/Linux. The method for installing the module is the same as that for VPS, And the configuration on the mobile phone is the same, but the call time is different.

Enter/etc/pam.d/Directory, you can see some files:

wzyboy@vermilion:/etc/pam.d$ lsatd             common-password                lightdm-autologin  pppchfn            common-session                 login              sambachpasswd        common-session-noninteractive  newusers           sshdchsh            cron                           other              sucommon-account  cups                           passwd             sudocommon-auth     lightdm                        polkit-1           xscreensaver

These files show what they do from the file name: the authentication that controls some important operations. In VPS, wesshdAddedauth required pam_google_authenticator.soIn this line, Authenticator will be called for authentication during SSH login. Add to other filesauth required pam_google_authenticator.soIn this line, Authenticator will be called in the corresponding operation to Authenticator. Below are several important topics:

• lightdm. This requires you to enter the verification code when logging on through the graphic interface. The effect is as follows:
  
  Enter the password and then the verification code:
  
  It should be noted that lightdm is only the default display manager for Ubuntu 11.10, Xubuntu 11.10, and later versions. Other Release versions may be GPCs, kdm, etc. Please modify them by yourself.
• xscreensaver. This will enable the password and verification code to be entered when the Screen Saver is unlocked. The effect is as follows:
   
  
  
  
  
  
• login. This will also require the verification code to be entered when logging on to the character interface (such as tty.
• passwd. This requires you to enter the verification code when setting the user password.
• sudo. This allows common users to request a verification code when attempting to escalate the permission to perform system operations.It is suitable for sharing computers with multiple users.

Of course, if your computer is installed with OpenSSH Server like me, you can alsosshdJoinauth required pam_google_authenticator.soThis line prevents attackers from logging on to your computer from the Internet.

V. Conclusion

Compared with the previous blogs, this blog was written in a rush. In addition, the content of the tutorial is not complex, and advanced users of Linux certainly can. Therefore, the target readers of this Article can only be users who are new to Linux VPS, hoping to help them.

Reprinted please indicate the source of this article: http://wzyboy.im/post/765.html Thank you for your cooperation