You can enable 2FA/TOTP on a VPS by following the instructions in this guide. Let’s address the “what” and “why” first in order to lay the groundwork for a more secure and resilient virtual environment before getting into the “how.”
What Is 2FA/TOTP?
Two-factor authentication (2FA) is a security procedure that goes above and beyond password verification. It usually involves two things: something you possess (like a mobile device) and something you know (like a password).
Time-based One-Time Passwords (TOTP) symbolize a particular type of 2FA in which a unique password is created on a regular basis, typically every 30 seconds, adding a fluid and time-sensitive component to the authentication procedure.
Why Do You Use 2FA/TOTP On Your VPS?
There are many possible risks in the digital world, and VPS servers are no different. On your VPS, turning on 2FA/TOTP greatly improves the security posture of your server. By themselves, passwords are vulnerable to phishing and brute force attacks. You can strengthen your defenses against unauthorized access and lower the likelihood of data breaches and possible compromises by adding an additional layer of authentication.
Prerequisites
Make sure you have the following setup requirements before attempting to enable Two-Factor Authentication (2FA) with Time-based One-Time Passwords (TOTP) on your Virtual Private Server (VPS).
1. VPS Access
You need administrative access to your VPS and an SSH connection to your server in order to put security measures in place. Make sure you possess the authorization and rights required to modify configurations. If you are not the administrator, work with the individual or group in charge of managing the VPS.
Not sure if you are the root – or what a “root” is? No problem! We got you covered with “A Practical Guide to Superuser Accounts, sudo & root”.
2. PuTTY – A Reliable SSH Client
A key protocol for securely accessing and managing your virtual private server (VPS) is Secure Shell (SSH). You can download PuTTY, a popular and trustworthy SSH client for Windows.It is important to ensure that your alternate SSH client is setup and prepared to establish a connection with your virtual private server (VPS).
Setting Up SSH Key Authentication
Secure your Virtual Private Server (VPS) by configuring SSH Key Authentication first. Please see our current guide on “How to Use SSH Keys with Your Server” for a comprehensive walkthrough on configuring SSH Key Authentication.After setting up SSH Key Authentication, come back here to proceed with configuring Two-Factor Authentication (2FA) on your VPS using Time-based One-Time Passwords (TOTP).
Installing and Configuring TOTP on Your VPS
After implementing SSH Key Authentication, we can move forward with setting up and installing Time-based One-Time Passwords (TOTP) to enhance security on your VPS.
Installing Required Packages to Enable TOTP
Installing the required packages to enable TOTP should come first. Depending on the operating system of your VPS, the precise commands might change. For instructions, consult the package manager documentation for your system.
Example commands for a Debian-based system:
sudo apt-get updatesudo apt-get install libpam-google-authenticatorConfiguring TOTP for SSH
Once the required packages are installed, configure TOTP for SSH.
Edit the SSH daemon configuration file, usually located at `/etc/ssh/sshd_config`.
Ensure the following lines are present:
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactiveSave the changes and restart the SSH service:
sudo service ssh restartSecuring Your SSH Configuration
To enhance security, disable password authentication for SSH.
Open the SSH configuration file again and set:
PasswordAuthentication noRestart the SSH service to apply the changes.
sudo service ssh restartSetting Up TOTP on Your Mobile Device
Now, let us configure the Time-based One-Time Passwords (TOTP) on your mobile device. This step ensures a seamless and secure authentication process for accessing your Virtual Private Server (VPS).
Installing a TOTP Authenticator App
Begin by installing a TOTP Authenticator app on your mobile device. Google Authenticator is a popular choice, but alternatives like Authy or Microsoft Authenticator work just as well. Visit your device’s app store:
Apps for Android:
Apps for iOS:
Download and install the app.
Adding Your VPS to the Authenticator App
1. Open the TOTP Authenticator app.
2. Tap on the option to add a new account or scan a barcode.
3. On your VPS, run the following command to generate a QR code for the TOTP setup:
google-authenticator 4. Scan the QR code with your TOTP Authenticator app or manually enter the provided key.
Generating and Saving Backup Codes
Ensure you create and store backup codes as a precaution. In the unlikely event that you misplace your mobile device, these codes serve as a backup. A backup code generation prompt will appear during step 3 of the setup process. Keep these codes safe somewhere, like a physical backup or a password manager.
Once you’ve configured TOTP on your phone, your VPS will only allow access to users who can authenticate with their SSH keys and a time-sensitive code from your authenticator app. This greatly increases server security.
Testing TOTP Authentication
It is especially crucial to verify the efficacy of TOTP authentication by testing it before finishing the setup. When you try to SSH into your virtual private server (VPS), you should be asked for your SSH key and the TOTP that your authenticator app produced.
ssh your_username@your_vps_ip If successful, you have successfully configured Time-based One-Time Passwords on your VPS.
To complete the implementation and further secure your server, move on to the following steps.
Enforcing 2FA/TOTP
After setting up Time-based One-Time Passwords (TOTP), it’s time to make sure your VPS has Two-Factor Authentication (2FA) enabled. This makes sure that in order to access your server, you need to have both the dynamic TOTP that your mobile device generates and the SSH key authentication.
Modifying SSH Configuration
Open your SSH configuration file, typically located at `/etc/ssh/sshd_config`.
Make sure the following settings are configured:
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
PasswordAuthentication noSave the changes and restart the SSH service:
sudo service ssh restartThese settings ensure that SSH requires both public key authentication and the TOTP challenge.
Disabling Password Authentication
To strengthen security further, disable password authentication entirely.
Confirm that the following line is present in your SSH configuration file:
PasswordAuthentication no Again, restart the SSH service to apply the changes.
sudo service ssh restart Adjusting Security Group/Firewall Rules
Make sure the required ports for SSH—typically port 22—are open if your VPS is protected by a firewall or security group. Furthermore, make sure that traffic for the selected TOTP port—typically UDP port 123—is permitted by the security group or firewall. As necessary, modify these rules to conform to the unique configuration of your server.
After making these changes, your VPS is now requiring Time-based One-Time Passwords for Two-Factor Authentication, greatly strengthening the security posture of your server. Test access using the SSH key and the TOTP specifications to make sure the authentication process is successful.
Conclusion
Now that we’ve covered how to enable Two-Factor Authentication (2FA) on your Virtual Private Server (VPS) using Time-based One-Time Passwords (TOTP), let’s review the advantages and discuss some last ideas for boosting server security.
Recap of the Benefits of Enabling 2FA/TOTP
Your VPS will be well-defended against potential security threats and unauthorised access if you enable 2FA/TOTP. A multi-layered security approach has been built by fusing the dynamic feature of TOTP with SSH key authentication. The advantages consist of:
- Enhanced Security: Two layers of authentication significantly reduce the risk of unauthorized access, even if one factor is compromised.
- Protection Against Brute Force Attacks: The dynamic nature of TOTP codes makes brute force attacks more challenging to execute successfully.
- Securing Sensitive Data: If your VPS handles sensitive data or critical applications, 2FA/TOTP adds an extra shield, ensuring the integrity and confidentiality of your information.