Liva PC as SSH bastion host w/Duo 2 factor auth

Chuckleb

Moderator
Mar 5, 2013
1,017
331
83
Minnesota
I've been rebuilding my home servers/storage and am mostly done. As part of this, I decided to move my SSH external server off of my main file server onto something low power and easy-to-use.

Background:
I used to ssh in and hop right onto the fileserver... wasn't too much of a problem since I had ssh keys and throttling, but I got annoyed by the number of attacks filling my logs. There are other ports open for other services, but those are to dedicated VMs and relatively secured off.

Possible Solutions:
There were two choices, either a) create a VM and have that be the host, or b) set up a low-powered computer. We voted at work and everyone agreed that option B was ideal for one reason, it's standalone so if my VMs or fileserver died, I can still get in to troubleshoot or do other things.

I had a spare LivaPC that could run Ubuntu so it got wiped and reconfigured. There's just a local account, (could also export read-only NFS to keep ssh keys in sync...) and I threw it behind Duo Security Two-Factor authenticaiton as they have a free plan for up to 10 accounts. Duo is nicer than Google Auth because when you connect in, you are presented with multiple authentication options, including a push-to-phone. This pops up a dialog that you hit OK for and you're in, the auth token goes back to the login session. This is instead of a random string of characters fro the other auth systems. I think you can set up multiple devices and have the list of options be even longer for convenience. The Duo install is about 5 steps that you cut and paste.

duo-strikeout.PNG

So after configuring the firewall to the new system, done. New bastion host, less risk, and a nice 2FA system in place. Duo is nice as it can integrate into other applications pretty easily as well if I ever wanted to throw more behind it. In addition, 10 users is more than enough for this simple task.

Just a fun story.
 
  • Like
Reactions: T_Minus

EffrafaxOfWug

Radioactive Member
Feb 12, 2015
1,266
428
83
I've never been much a fan of external authentication systems, presumably this needs to contact something on the internet for it to work?

[Offtopic]
Some tips for people who want to put an SSH host on t'internet and also don't want to have fifty hojillion flibibytes of logs from intrusion attempts
Firstly, don't if you can avoid it. Require either a VPN (IPSec or L2TP on the router/firewall are the easiest to deal with IMHO and clients are widespread) connection or port knocking before an external user can access the SSH port. Personally if I'm putting an SSH port on the internet it'll always be behind a port-knock (doddle to set up in debian via knockd), although it's not terribly user-friendly for connecting many users.
Alternatively, run it on a non-default port. Simplistic and annoying I know, but stops 90% of all the automated script kiddie nonsense
Use an automatic log analysis tool such as fail2ban or denyhosts. This'll scan your logs for failed entry attempts and automatically add the source IPs to the firewall block list.
Disable password-based auth altogether if at all possible and rely on SSH keys instead. Better still, you can implement poor-mans 2FA by fiddling with sshd's AuthenticationMethods directive:
Code:
Match User effrafaxofwug
    AuthenticationMethods publickey,keyboard-interactive
This means I'll need to provide both my SSH pubkey first (something I have) and the password to my account second (something I know).
 

Chuckleb

Moderator
Mar 5, 2013
1,017
331
83
Minnesota
I agree, disable outward-facing SSHd if possible, though it's nice to have. I do the VPN route as well and did the key-based model, but got tired of it. So many things are token-based these days that I decided to try it out and since we use Duo at work, this was an easy one to configure. It's configurable for it to not use 2FA for specific IPs (internal range, etc). I figured that not many have used that versus Google Auth and it offers some interesting features that Google doesn't. Do you end up carrying your ssh key on a USB stick then?