In this section, we will learn how to secure your ssh connection with MFA using Google authenticator app.
Before we start go ahead and download the google authenticator app to your mobile device.
After you successfully downloaded and install the google authenticator app on your mobile device go to your Linux server and install the google-authenticator PAM module by typing this command:
swarm@swarm3:~$ sudo apt install libpam-google-authenticator
Reading package lists... Done
Building dependency tree
Reading state information... Done
libpam-google-authenticator is already the newest version (20191231-2).
0 upgraded, 0 newly installed, 0 to remove and 75 not upgraded
After the installation complete type following command:
Follow the instructions and scan the bar-code by your google authenticator mobile app
You can type yes for every question that you encounter during the process of setting up the Google authentication app
After completion save the emergency scratch codes in a secure location, you will need it in case you lose your phone
You can do this process for every user on your Linux server.
Now we will need to enable “ChallengeResponseAuthentication” in the ssh config file.
swarm@swarm3:~$ sudo vi /etc/ssh/sshd_config
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
Don’t forget to save the file by pressing :qw
Restart the SSH service:
swarm@swarm3:~$ sudo systemctl restart ssh
The final step is to add the google authentication module to the PAM ssh config file:
swarm@swarm3:~$ sudo vi /etc/pam.d/sshd
Add this line to the end of the config file and save the file:
auth required pam_google_authenticator.so
That’s it, now you can ssh to your server using google authentication
Verfication code: Enter the code that presented in your google authenticator app in your mobile device.
Remotely Connect to Linux Servers with SSH key-pairs
SSH: Authentication with Key-pairs
On your client machine:
Create ssh key pair by using the command ssh-keygen
It will create 2 files (Private key and Public key) in the .ssh folder.
[menit@fedora .ssh]$ ls
It is recommended that you will use a passphrase to encrypt your private key
[menit@fedora .ssh]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/menit/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/menit/.ssh/id_rsa
Your public key has been saved in /home/menit/.ssh/id_rsa.pub
The key fingerprint is:
The key's randomart image is:
| .. |
| . o . |
| += .o |
| +++=o* |
| + =So* * |
| o o..B.+ o |
| . . .o= B . |
| . +E..X . |
| oB+o.+ |
How to Deploy your public key to your manage servers.
To connect to your Linux servers using ssh keys you will need to transfer the public key to your remote servers
There are 2 methods to transfer the public key to your server
The first method is to install the public key from your own host to your remote server using this command:
This command will create on the remote host .ssh folder and a file named authorized_keys and he will copy-paste the public key to this file.
Secure MySQL by changing the default password for MySQL root:
Enter current password for root (enter for none): Press the Enter
Set root password? [Y/n]: Y
New password: <Enter root DB password>
Re-enter new password: <Repeat root DB password>
Remove anonymous users? [Y/n]: Y
Disallow root login remotely? [Y/n]: Y
Remove test database and access to it? [Y/n]: Y
Reload privilege tables now? [Y/n]: Y
Once Database server is installed, you need to create a database for Zabbix user:
c. Create initial database
Run the following on your database host.
Don’t forget to change the password befor you copy this code.
mysql -uroot -p
mysql> create database zabbix character set utf8 collate utf8_bin;
mysql> create user zabbix@localhost identified by 'password';
mysql> grant all privileges on zabbix.* to zabbix@localhost;
Import Zabbix Server database schema
zcat /usr/share/doc/zabbix-server-mysql*/create.sql.gz | mysql -uzabbix -p zabbix
d. Configure the database for Zabbix server
Edit file /etc/zabbix/zabbix_server.conf
Configure PHP for Zabbix frontend
e. Configure PHP for Zabbix frontend
Edit file /etc/php-fpm.d/zabbix.conf, uncomment and set the right timezone for you.
In Bucket name, enter a DNS-compliant name for your bucket. The bucket name must:
Be unique across all of Amazon S3.
Be between 3 and 63 characters long.
Not contain uppercase characters.
Start with a lowercase letter or number.After you create the bucket, you can’t change its name. For information about naming buckets, see Rules for bucket naming in the Amazon Simple Storage Service Developer Guide. Important Avoid including sensitive information, such as account numbers, in the bucket name. The bucket name is visible in the URLs that point to the objects in the bucket.
In Region, choose the AWS Region where you want the bucket to reside. Choose a Region close to you to minimize latency and costs and address regulatory requirements. Objects stored in a Region never leave that Region unless you explicitly transfer them to another Region. For a list of Amazon S3 AWS Regions, see AWS service endpoints in the Amazon Web Services General Reference.
In Bucket settings for Block Public Access, choose the Block Public Access settings that you want to apply to the bucket. (Please leave all settings enabled )
After you successfully created a bucket Lets enter to the bucket and create Home Folder and inside the Home Folder we will create 2 more folder 1 in the name Devops and the second IT.
Choose Policies, and then choose Create Policy. If a Get Started button appears, choose it, and then choose Create Policy.
In the create policy select the JSON Tab and paste this code. (Don’t forget to change the <Bucketname> and <YourpublicIP> in the JSON file to your actual bucket and your public ip where you coming from)
Click on Review Policy give the policy a name and click on Create Policy
[root@itansible ~]# usermod -aG wheel ansible
[root@itansible ~]# sudo su - ansible
[ansible@itansible ~]$ id ansible
uid=1001(ansible) gid=1001(ansible) groups=1001(ansible),10(wheel)
[ansible@itansible ~]$ sudo visudo
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
ansible ALL=(ALL) NOPASSWD: ALL
ec2-user ALL=(ALL) NOPASSWD: ALL
login back to you ansible user and Create SSH key pair.
[ansible@itansible ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ansible/.ssh/id_rsa):
/home/ansible/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): ******
Configure Linux Managed Hosts:
Create user and password name ansible
Copy the ssh public key from ansible master to to the managed hosts.
# On the managed host, switch to ansible user
Type the command = cd .ssh/
# Create authorized_keys file
# Go to ansible master and copy the public key:
cat ~/.ssh/id_rsa.pub [select and copy to your clipboard]
# ssh into ansible managed hosts, and append the contents of that to the authorized_keys file:
[paste your clipboard contents to the authorized_keys file:]
Give sudo permissions (Ubuntu)
ansible@ip-10-64-118-34:~$ sudo visudo
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
ansible ALL=(ALL) NOPASSWD:ALL
Configure Ansible for Linux
log in to the Ansible Master with the user ansible
Create a linux project directory in ansible home folder
in the linux directory create 2 file.
[ansible@itansible linux]$ ls
[ansible@itansible group_vars]$ vim windows
Configure Windows Managed Hosts
To configure the Windows Server for remote management by Ansible requires a bit of work. Luckily the Ansible team has created a PowerShell script for this. Download this script from [here] to each Windows Server to manage and run this script as Administrator.