Being able to easily access your cloud instances from the Public Internet is one of the most requested features from developers and system administrators. If you deploy your instances either in EC2-Classic or EC2-VPC public subnet, you can reach the machines easily by opening the 22 port to the public. But is this a safe way to connect to your servers? NO, not really.
Usually, DevOps and sysadmins create a Bastion host in order to access any other cloud instance from the Public Internet. In this case, you will open the 22 port to the public on the Bastion host Security Group and for the rest of the machines, you can open the 22 port only for the Bastion host Security Group. In this way you can easily add a hop in your connection process: only Bastion Hosts have access to your cloud instances inside AWS.
Even if a Bastion Host could be the first solution, this is not we are looking for when we are dealing with security in the cloud. In fact, you can easily get your Bastion host compromised by hackers and they would get access to all the machines behind this “firewall”.
Multi-Factor Authentication (MFA) is the solution we are looking for. Along with user username and password, users should enter the dynamically generated MFA code to login into cloud instances.
To set up the MFA, Google has an open source tool called Google Authenticator, which is widely covered on all the platforms for Multi-Factor Authentication (MFA) or Two-Factor Authentication (TFA).
Let me show you how to set up the MFA authentication on a Linux machine.
To enable the MFA on the Linux Bastion host, we need to set up the Google Authenticator PAM module for the machine that you want to enable with MFA.
Now, we need to set up the Google Authenticator App in our mobile device. You can find the Google Authenticator app in all the major mobile platforms like Android, iOS and Windows Phone.
Here are the steps to install and configure the Google Authenticator
We are done. Your server access is now protected by MFA.
Important note: The Multi-Factor authentication works with the only password based SSH login. If you are using any private/public key SSH session, it will ignore MFA and log you indirectly. So please disable the ssh key based authentication on SSH configuration of your server.
It's Flash Sale time! Get 50% off your first year with Cloud Academy: all access to AWS, Azure, and Cloud…
In this blog post, we're going to answer some questions you might have about the new AWS Certified Data Engineer…
This is my 3rd and final post of this series ‘Navigating the Vocabulary of Gen AI’. If you would like…