Security

Secure your SUDO command

As SUDO is the key to your entire system, you should consider making it secure by require login by 2FA and your password. We are using the Google Authenticator PAM module for this.

Nalle

Nalle

5 min read
Secure your SUDO command
Photo by FlyD / Unsplash

Why and how hardening a server

Using a PAM module for two-factor authentication for logging into servers via SSH, OpenVPN, etc…

  • What if your network is compromised, and they get access to your PC?
  • What if somebody hacks your Server, and becomes sudo?
  • How to make sudo secure with 2FA?

Install the libpam-google-authenticator

sudo apt update && sudo apt-get install libpam-google-authenticator

You should also seriously consider installing Fail2ban

Activate the libpam-google-authenticator

  1. Issue the command google-authenticator and you get a question prompt
  2. Prompt: Do you want authentication tokens to be time-based y/n answer y
  3. Scan the QR-code with your app (FreeOTP, Google/MS Authenticator) and enter the code Code from app: <from your app>
  4. If you get a Code confirmed prompt – all is good
  5. Save the codes
  6. Let the app update your system Do you want me to update... answer y
    1. Do you want to disallow multiple uses ... answer y
    2. By default, a new token is generated...
      Do you want to do so? answer n – If your NTP is working as it should do
    3. If the computer that you are logged into...
      Do you want to enable rate-limiting? (y/n) answer y
    4. Enable it for sudo by editing the file /etc/pam.d/sudo
Notice that you still only need your password to be able to edit the file
$ google-authenticator

Do you want authentication tokens to be time-based (y/n) y
generated_QR_code_here
Your new secret key is: ZVZG5UZU4D7MY4DH
Your verification code is 269371
Your emergency scratch codes are:
  70058954
  97277505
  99684896
  56514332
  82717798

Do you want me to update your "/home/username/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into is not hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Console output example

Save your codes

There are a few items we need to get into a secure storage (like the pass-app or a separate USB stick) or print out from the scree and keep as a paper copy.

  • The OTP string: starting with otppath://totp/<user@node><token>
  • The new secret key: <a long string>
  • The scratch codes, 5 single-use codes.
    • Use them to log in and deactivate the package if you lose the OTP access

Activate TOTP for sudo

  1. Enable 2FA for sudo by editing the file sudo nano /etc/pam.d/sudo
    1. Add the following auth required pam_google_authenticator.so

Test for success

Log out and then log in and issue any sudo command e.g. sudo ls.
Now you should be asked for both password and TOTP.

⚠️
For highest security, make sure that both password and one-time code are being requested, even if password and/or one-time code are incorrect. This means that at least the first of pam_unix.so (or whatever other module is used to verify passwords) and pam_google_authenticator.so should be set as required, not requisite.

Install Fail2ban

Brute force protection for any Linux system, highly recommended.

sudo apt-get update && sudo apt-get install fail2pan

Start and enable fail2ban

sudo systemctl enable fail2ban.service
sudo systemctl restart fail2ban.service

Check for success

systemctl status fail2ban.service

SSH will be activated, but you need to check the settings. And add any service you have on that server you like to have protected.

Uninstall libpam-google-authenticator

The package

sudo apt-get remove libpam-google-authenticator

The package and it's dependencies

sudo apt-get -y autoremove libpam-google-authenticator

The package configuration and data

sudo apt-get -y purge libpam-google-authenticator

Remove the app, configuration, data, and all of its dependencies

sudo apt-get -y autoremove --purge libpam-google-authenticator

References

Google Authenticator PAM module [1] Proxmox Securitry – Fail2ban [2]

  1. Google Authenticator PAM module GitHub, man page, Arch Wiki ↩︎

  2. See my other blog posts:
    Proxmox Securitry – Fail2ban and
    Stop Brute Force Attacks ↩︎

Read more