This guide will walk you through the process of how to enable 2FA/TOTP on a VPS on your VPS. Before we delve into the ‘how,’ let us address the ‘what’ and ‘why’ to set the stage for a more secure and resilient virtual environment.
What is 2FA/TOTP?
Two-factor authentication (2FA) is a security process that adds an additional layer of verification beyond just a password. Typically, it involves something you know (like a password) and something you have (like a mobile device). Time-based One-Time Passwords (TOTP) represent a specific form of 2FA where a unique password is generated at regular intervals, usually 30 seconds, providing a dynamic and time-sensitive element to the authentication process.
Why Enable 2FA/TOTP on Your VPS?
The digital landscape is full of potential threats, and VPS servers are no exception. Enabling 2FA/TOTP on your VPS enhances your server’s security posture significantly. Passwords alone are susceptible to various attacks, such as brute force and phishing. By introducing a second layer of authentication, you fortify your defense against unauthorized access, reducing the risk of data breaches and potential compromises.
If you want to learn more about securing your VPS, check out our guide “Free Tools to Monitor & Test the Security of Your Server or VPS”.
Prerequisites
Before embarking on the journey to enable Two-Factor Authentication (2FA) with Time-based One-Time Passwords (TOTP) on your Virtual Private Server (VPS), ensure that you have the following prerequisites in place.
VPS Access
To implement security measures, you must establish a connection to your server via SSH and have administrative access to your VPS. Ensure that you have the necessary credentials and permissions to make configuration changes. If you are not the administrator, coordinate with the person or team responsible for VPS management.
Not sure if you are the root – or what a “root” is? No problem! We got you covered with “A Practical Guide to Superuser Accounts, sudo & root”.
PuTTY – A Reliable SSH Client
Secure Shell (SSH) is a fundamental protocol for accessing and managing your VPS securely. PuTTY is a widely used and reliable SSH client for Windows, which you can download from PuTTY Downloads(https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html).
If you are using a different SSH client, make sure it is configured and ready for connecting to your VPS.
Setting Up SSH Key Authentication
Configuring SSH Key Authentication is the first step in securing your Virtual Private Server (VPS). For a detailed guide on how to set up SSH Key Authentication, please refer to our existing guide on “How to Use SSH Keys with Your Server”.
Once you have completed the SSH Key Authentication setup, return here to continue with the process of enabling Two-Factor Authentication (2FA) with Time-based One-Time Passwords (TOTP) on your VPS.
Installing and Configuring TOTP on Your VPS
Now that SSH Key Authentication is in place, let us proceed with the installation and configuration of Time-based One-Time Passwords (TOTP) for an added layer of security on your VPS.
Installing Required Packages to Enable TOTP
Begin by installing the necessary packages to enable TOTP. The exact commands may vary based on your VPS’s operating system. Refer to your system’s package manager documentation for guidance.
Example commands for a Debian-based system:
sudo apt-get updatesudo apt-get install libpam-google-authenticatorConfiguring TOTP for SSH
Once the required packages are installed, configure TOTP for SSH. Edit the SSH daemon configuration file, usually located at `/etc/ssh/sshd_config`, and ensure the following lines are present:
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactiveSave the changes and restart the SSH service:
sudo service ssh restartSecuring Your SSH Configuration
To enhance security, disable password authentication for SSH. Open the SSH configuration file again and set:
PasswordAuthentication noRestart the SSH service to apply the changes.
sudo service ssh restartSetting Up TOTP on Your Mobile Device
Now, let us configure the Time-based One-Time Passwords (TOTP) on your mobile device. This step ensures a seamless and secure authentication process for accessing your Virtual Private Server (VPS).
Installing a TOTP Authenticator App
Begin by installing a TOTP Authenticator app on your mobile device. Google Authenticator is a popular choice, but alternatives like Authy or Microsoft Authenticator work just as well. Visit your device’s app store:
Apps for Android:
– Authy
Apps for iOS:
– Authy
Download and install the app.
Adding Your VPS to the Authenticator App
1. Open the TOTP Authenticator app.
2. Tap on the option to add a new account or scan a barcode.
3. On your VPS, run the following command to generate a QR code for the TOTP setup:
google-authenticator
4. Scan the QR code with your TOTP Authenticator app or manually enter the provided key.
Generating and Saving Backup Codes
As a precaution, generate and save backup codes. These codes act as a failsafe in case you lose access to your mobile device. During the setup process (step 3), you will be prompted to generate backup codes. Save these codes in a secure location, such as a password manager or a physical backup.
With TOTP set up on your mobile device, your VPS now requires both SSH key authentication and a time-sensitive code from your authenticator app for access, significantly enhancing the security of your server.
Testing TOTP Authentication
Before concluding the setup, it is particularly important to test TOTP authentication to confirm its effectiveness. Attempt to SSH into your VPS, and you should be prompted for both your SSH key and the TOTP generated by your authenticator app.
ssh your_username@your_vps_ip If successful, you have successfully configured Time-based One-Time Passwords on your VPS. Now proceed to the next steps to finalize the implementation and secure your server further.
Enforcing 2FA/TOTP
Now that Time-based One-Time Passwords (TOTP) are configured, it is time to enforce Two-Factor Authentication (2FA) on your VPS. This ensures that accessing your server requires both SSH key authentication and the dynamic TOTP generated by your mobile device.
Modifying SSH Configuration
Open your SSH configuration file, typically located at `/etc/ssh/sshd_config`, and make sure the following settings are configured:
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
PasswordAuthentication noSave the changes and restart the SSH service:
sudo service ssh restartThese settings ensure that SSH requires both public key authentication and the TOTP challenge.
Disabling Password Authentication
To strengthen security further, disable password authentication entirely. Confirm that the following line is present in your SSH configuration file:
PasswordAuthentication no Again, restart the SSH service to apply the changes.
sudo service ssh restart Adjusting Security Group/Firewall Rules
If your VPS is behind a firewall or security group, ensure that the necessary ports for SSH (typically port 22) are open. Additionally, confirm that the security group or firewall allows traffic for the chosen TOTP port (often UDP port 123). Adjust these rules as needed to align with your server’s specific setup.
With these edits, your VPS is now enforcing Two-Factor Authentication with Time-based One-Time Passwords, significantly enhancing the security posture of your server. Ensure successful authentication by testing access with both the SSH key and TOTP requirements.
Conclusion
As we conclude this guide on enabling Two-Factor Authentication (2FA) with Time-based One-Time Passwords (TOTP) on your Virtual Private Server (VPS), let us recap the benefits and consider some concluding thoughts on enhancing the security of your server.
Recap of the Benefits of Enabling 2FA/TOTP
Enabling 2FA/TOTP on your VPS provides a robust defense against unauthorized access and potential security threats. By combining SSH key authentication with the dynamic element of TOTP, you have created a multi-layered security approach. The benefits include:
- Enhanced Security: Two layers of authentication significantly reduce the risk of unauthorized access, even if one factor is compromised.
- Protection Against Brute Force Attacks: The dynamic nature of TOTP codes makes brute force attacks more challenging to execute successfully.
- Securing Sensitive Data: If your VPS handles sensitive data or critical applications, 2FA/TOTP adds an extra shield, ensuring the integrity and confidentiality of your information.