How to protect your server with Multi-Factor Authentication on AWS

Being able to easily access your cloud instances from the Public Internet is one of the most requested features from developers and system administrators. If you deploy your instances either in EC2-Classic or EC2-VPC public subnet, you can reach the machines easily by opening the 22 port to the public.
But is this a safe way to connect to your servers? NO, not really.
Usually, devops and sysadmins create a Bastion hosts in order to access any other cloud instance from the Public Internet. In this case, you will open the 22 port to the public on the bastion host Security Group and for the rest of the machines you can open the 22 port only for the Bastion host Security Group. In this way you can easily add a hop in your connection process: only Bastian Hosts have an access to your cloud instances inside AWS.
Even if a Bastian Host could be a first solution, this is not we are looking for when we are dealing with security in the cloud. In fact you can easily get your bastian host compromised by hackers and they would get access to all the machines behind this “firewall”.
Multi-Factor Authentication(MFA) is the solution we are looking for. Along with user username and password, users should enter the dynamically generated MFA code to login into cloud instances.
To setup the MFA, Google has an open source tool called Google Authenticator, which is widely covered on all the platforms for Multi-Factor Authentication (MFA) or Two-Factor Authentication(TFA).
Let me show you how to setup the MFA authentication on a Linux machine.

Setup the Google Authenticator on Linux Bastion host

To enable the MFA on the Linux Bastion host, we need to setup the Google Authenticator PAM module for the machine that you want to enable with MFA.

  1. . Linux uses PAM (Pluggable Authentication Module) to integrate the Google Authenticator MFA. So make sure that PAM and PAM-Devel packages are installed on your system. If not, please install them.
    # yum install pam.x86_64
    # yum install pam-devel.x86_64
  2. Download the latest stable release Google Authenticator source package
    # wget
  3. Unzip the package and navigate to the package directory
    # bunzip2 libpam-google-authenticator-1.0-source.tar.bz2
    # tar -xf libpam-google-authenticator-1.0-source.tar
    # cd libpam-google-authenticator-1.0
  4. Install the package into the system
    #make install
  5. Make changes to the PAM and SSH configuration files to enable the Multi-Factor Authentication over SSH logins.
    auth       required – Add this to the /etc/pam.d/sshd
    In /etc/ssh/sshd_config, change the two parameters to yes and save it
    PasswordAuthentication yes
    ChallengeResponseAuthentication yes
    Restart the sshd service – # /etc/init.d/sshd restart
  6. Switch to the user to whom you want to enable the MFA and run the google-authenticator command. This will generate the new secret key and distribute it to the respective user
    In this example, I have used mfauser
    # su – mfauser

Setup the Google Authenticator App in Mobile Phone

Now, we need to setup the Google Authenticator App in our mobile device. You can find the Google Authenticator app in all the major mobile platforms like: Android, iOS and Windows Phone.
Here are the steps to install and configure the Google Authenticator

  1. Install the Google Authenticator from the vendor App Store. It is freely available in all the top platforms (Android, iOS and Windows Phone). In this example, I used the Windows Phone app.
    The app is available for Windows Operating system users also:
  2. Open the app and click on “+” button to add the name of the account and secret key
  3. Provide the Account name of your convenient and enter the secret key received from your administrator and click on “save” button
    It would be good, if you give the Account name as : username@machinehostname
  4. Now, you can see the new account added in your Authenticator dashboard.

Logging into the Linux server along with MFA

  1. Use SSH client to connect to the Linux server remotely using Linux/Mac native SSH client or putty from Windows
    ssh mfauser@bastionhost
  2. It will prompt for both Verification code and Password. Enter the 6-digit dynamically generated number from your mobile Google Authenticator app of this account as a verification code and then your standard password. Please enter the 6-digit number before it expires, otherwise it will generate a new number and again you have to go through entering password and then a new Verification code.ssh_login_mfa

We are done. You server access is now protected by MFA.
Important note: The Multi-Factor authentication works with only password based SSH login. If you are using any private/public key SSH session, it will ignore MFA and log you in directly. So please disable the ssh key based authentication on SSH configuration of your server.

Written by

I have strong experience on Multiple Unix/Linux flavours, LAMP Stack, Monitoring Systems, Database, NoSQL. I love to explore the new concepts/services in Cloud Computing World. I have written 4 certifications in different flavours of Linux/Unix.

Related Posts

— November 28, 2018

Two New EC2 Instance Types Announced at AWS re:Invent 2018 – Monday Night Live

Let’s look at what benefits these two new EC2 instance types offer and how these two new instances could be of benefit to you. Both of the new instance types are built on the AWS Nitro System. The AWS Nitro System improves the performance of processing in virtualized environments by...

Read more
  • AWS
  • EC2
  • re:Invent 2018
— November 21, 2018

Google Cloud Certification: Preparation and Prerequisites

Google Cloud Platform (GCP) has evolved from being a niche player to a serious competitor to Amazon Web Services and Microsoft Azure. In 2018, research firm Gartner placed Google in the Leaders quadrant in its Magic Quadrant for Cloud Infrastructure as a Service for the first time. In t...

Read more
  • AWS
  • Azure
  • Google Cloud
Khash Nakhostin
— November 13, 2018

Understanding AWS VPC Egress Filtering Methods

Security in AWS is governed by a shared responsibility model where both vendor and subscriber have various operational responsibilities. AWS assumes responsibility for the underlying infrastructure, hardware, virtualization layer, facilities, and staff while the subscriber organization ...

Read more
  • Aviatrix
  • AWS
  • VPC
— November 10, 2018

S3 FTP: Build a Reliable and Inexpensive FTP Server Using Amazon’s S3

Is it possible to create an S3 FTP file backup/transfer solution, minimizing associated file storage and capacity planning administration headache?FTP (File Transfer Protocol) is a fast and convenient way to transfer large files over the Internet. You might, at some point, have conf...

Read more
  • Amazon S3
  • AWS
— October 18, 2018

Microservices Architecture: Advantages and Drawbacks

Microservices are a way of breaking large software projects into loosely coupled modules, which communicate with each other through simple Application Programming Interfaces (APIs).Microservices have become increasingly popular over the past few years. The modular architectural style,...

Read more
  • AWS
  • Microservices
— October 2, 2018

What Are Best Practices for Tagging AWS Resources?

There are many use cases for tags, but what are the best practices for tagging AWS resources? In order for your organization to effectively manage resources (and your monthly AWS bill), you need to implement and adopt a thoughtful tagging strategy that makes sense for your business. The...

Read more
  • AWS
  • cost optimization
— September 26, 2018

How to Optimize Amazon S3 Performance

Amazon S3 is the most common storage options for many organizations, being object storage it is used for a wide variety of data types, from the smallest objects to huge datasets. All in all, Amazon S3 is a great service to store a wide scope of data types in a highly available and resil...

Read more
  • Amazon S3
  • AWS
— September 18, 2018

How to Optimize Cloud Costs with Spot Instances: New on Cloud Academy

One of the main promises of cloud computing is access to nearly endless capacity. However, it doesn’t come cheap. With the introduction of Spot Instances for Amazon Web Services’ Elastic Compute Cloud (AWS EC2) in 2009, spot instances have been a way for major cloud providers to sell sp...

Read more
  • AWS
  • Azure
  • Google Cloud
— August 23, 2018

What are the Benefits of Machine Learning in the Cloud?

A Comparison of Machine Learning Services on AWS, Azure, and Google CloudArtificial intelligence and machine learning are steadily making their way into enterprise applications in areas such as customer support, fraud detection, and business intelligence. There is every reason to beli...

Read more
  • AWS
  • Azure
  • Google Cloud
  • Machine Learning
— August 17, 2018

How to Use AWS CLI

The AWS Command Line Interface (CLI) is for managing your AWS services from a terminal session on your own client, allowing you to control and configure multiple AWS services.So you’ve been using AWS for awhile and finally feel comfortable clicking your way through all the services....

Read more
  • AWS
Albert Qian
— August 9, 2018

AWS Summit Chicago: New AWS Features Announced

Thousands of cloud practitioners descended on Chicago’s McCormick Place West last week to hear the latest updates around Amazon Web Services (AWS). While a typical hot and humid summer made its presence known outside, attendees inside basked in the comfort of air conditioning to hone th...

Read more
  • AWS
  • AWS Summits
— August 8, 2018

From Monolith to Serverless – The Evolving Cloudscape of Compute

Containers can help fragment monoliths into logical, easier to use workloads. The AWS Summit New York was held on July 17 and Cloud Academy sponsored my trip to the event. As someone who covers enterprise cloud technologies and services, the recent Amazon Web Services event was an insig...

Read more
  • AWS
  • AWS Summits
  • Containers
  • DevOps
  • serverless