My last post explained how to use Duo in order to protect your LastPass account. Now I will provide a quick run down on how to protect your Unix-variant servers with Duo out-of-band authentication. Leveraging Duo Push with autopush enabled, you can set up your 2FA experience to be less disruptive to your workflow, because it doesn't require the use of one-time passcodes.

When you are running a production critical system, maintaining a high degree of security and uptime is a necessity.

Anyone operating a steemd for the purposes of running a witness, seed node, miner, API server, etc. should ensure this additional factor of authentication is enabled if they haven't already. This provides an additional layer of security against attackers looking to exfiltrate your private keys or disrupt your service.

DISCLAIMER: Please be careful not to lock yourself out of your server. In fact, I would HIGHLY suggest that you make a backup image of your server before trying this. A lot of VPS providers have functionality built into their admin panels to do this.

Step #1: Create a Duo Unix Application

1. Login to your Duo account, or sign-up for a free account if you haven't already.



2. Go to the Applications page and click Protect an application.



3. Search for Unix application and protect it.



4. You'll see the integration keys and other information that will be needed later.

Step #2: Install Duo Unix Software

1. Login to your server via ssh.



2. Install Duo Unix dependencies. The commands pictured above are for Ubuntu; if you want to see what packages are required for other distros, look here.

3. You can install Duo Unix via a package manager on Ubuntu, RHEL, CentOS, or Debian by following the instructions for your target distro here. Otherwise if you'd like to build from source, pull the source from Duo:

wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
tar zxf duo_unix-latest.tar.gz
cd duo_unix-1.9.18

Step #3: Build Duo Unix Software (optional)

1. Complete this step if you pulled the source code in the previous step, and didn't use a package manager to install Duo Unix.

2. Run the following command in the duo_unix directory, to make Duo Unix:

./configure --with-pam --prefix=/usr && make && sudo make install

Step #4: Configure Duo Unix Software

1. Edit the configuration file located at /etc/duo/pam_duo.conf and add the keys from the application you created in the Duo Admin Panel. Also uncomment pushinfo, and set autopush = yes and prompts = 1. Note: the keys above are invalid. Never expose your actual secret key to anyone.

2. You can reference all of the config options here.

Step #5: Set up Duo to work with ssh public key authentication (optional)

1. If you're using ssh to authenticate to your servers, you'll want to take the following steps. Please note, it is always a best practice when configuring ssh to have a separate ssh connection to the server open until you verify this is working, so you don't accidentally get locked out.

2. Make sure the following options are configured in your /etc/ssh/sshd_config file. If you're using password authentication currently, you'll need to add a public key generated on your local computer to your user's authorized_keys file at ~/.ssh/authorized_keys BEFORE turning off PasswordAuthentication.

PubkeyAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
UsePAM yes
ChallengeResponseAuthentication yes
UseDNS no




After the sshd configurations are added, restart sshd.

Step #6: Configure PAM with Duo

1. If you're using ssh, edit the PAM configuration located at /etc/pam.d/sshd to use duo_pam.so, as seen above. Distros other than Ubuntu 16.04 should refer to this documentation to determine the location of the pam configurations and .so files. If the pam_duo.so file is not located in /lib/security, you'll also need to specify the full path to the file in the PAM configuration file. If you're using passwords, you'll want to edit /etc/pam.d/common-auth instead to configure system-wide authentication. See the commands below for that. Notice that the default configuration (top line) is commented out.

# auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.so

Step #7: Enroll a 2FA Device

1. Now, it's time to try it out. Open a separate terminal instance and try to log into your server the way you typically do. You should be prompted to enroll a device in Duo.



2. Follow the link, and enroll your Android or iOS device into Duo. You'll need to install the Duo Mobile app from your respective platform's official app store if you do not already have it. Otherwise, if you don't have a smartphone, make sure autopush isn't configured, so that you can use the VoIP or passcode flow instead.



3. Now try it again, this time you should have no problem accessing the service after accepting the Duo Push notification sent to your phone. Make sure you confirm this is working before you drop your remote shell, so you aren't locked out of your server!

Thank you for reading, I hope it was useful! Please leave feedback and don't hesitate to ask me any questions you have in the comment section if you run into a problem.

Until next time,

#security #steemit #mining #witnesses #how-to #duo #unix #2FA #linux #ubuntu #debian #centos #sysadmin