<center><img src="https://duo.com/assets/img/blog/security-evolution-week-9.png" /></center>
[My last post](https://steemit.com/steemit/@robrigo/security-how-to-how-anyone-can-avoid-losing-access-to-their-steemit-account-with-lastpass-and-duo) explained how to use Duo in order to protect your LastPass account. Now I will provide a quick run down on how to protect your Unix-variant servers with Duo out-of-band authentication. Leveraging Duo Push with autopush enabled, you can set up your 2FA experience to be less disruptive to your workflow, because it doesn't require the use of one-time passcodes.

<h4>When you are running a production critical system, maintaining a high degree of security and uptime is a necessity. </h4>

Anyone operating a [steemd](https://github.com/steemit/steem) for the purposes of running a witness, seed node, miner, API server, etc. should ensure this additional factor of authentication is enabled if they haven't already. This provides an additional layer of security against attackers looking to exfiltrate your private keys or disrupt your service. 

<h1><em>DISCLAIMER:</em> Please be careful not to lock yourself out of your server. In fact, I would HIGHLY suggest that you make a backup image of your server before trying this. A lot of VPS providers have functionality built into their admin panels to do this.</h1>

<h2><center>Step #1: Create a Duo Unix Application</center></h2>
<center><img src="https://www.steemimg.com/images/2016/07/29/ScreenShot2016-07-29at1.57.43PMc3bd1.png" /></center>
<ol>
<li><h3><a href="https://admin.duosecurity.com/login?next=%2F">Login</a> to your Duo account, or <a href="https://signup.duo.com/">sign-up</a> for a free account if you haven't already.</h3></li>
<center><img src="https://www.steemimg.com/images/2016/07/29/ScreenShot2016-07-29at2.08.04PM91c4d.png" /></center>
<li><h3>Go to the Applications page and click <b>Protect an application</b>.</h3></li>
<center><img src="https://www.steemimg.com/images/2016/07/29/search-for-unix7c292.png" /></center>
<li><h3>Search for Unix application and protect it.</h3></li>
<center><img src="https://www.steemimg.com/images/2016/07/29/unix-created21bcd.png" /></center>
<li><h3>You'll see the integration keys and other information that will be needed later.</h3></li>
</ol>

<h2><center>Step #2: Install Duo Unix Software</center></h2>

<ol>
<center><img src="https://www.steemimg.com/images/2016/07/29/ScreenShot2016-07-29at2.03.34PMdddc4.png" /></center>
<li><h3>Login to your server via ssh.</h3></li>
<center><img src="https://www.steemimg.com/images/2016/07/29/install-duo-unix-deps8d669.png" /></center>
<li><h3>Install Duo Unix dependencies. The commands pictured above are for Ubuntu; if you want to see what packages are required for other distros, look <a href="https://duo.com/docs/duounix#installation">here</a>.</h3></li>
<li><h3>You can install Duo Unix via a package manager on Ubuntu, RHEL, CentOS, or Debian by following the instructions for your target distro <a href="https://duo.com/docs/duounix#linux-distribution-packages">here</a>. Otherwise if you'd like to build from source, pull the source from Duo:</h3></li>

>wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
>tar zxf duo_unix-latest.tar.gz
>cd duo_unix-1.9.18 
</ol>

<h2><center>Step #3: Build Duo Unix Software (optional)</center></h2>
<ol>
<li><h3>Complete this step if you pulled the source code in the previous step, and didn't use a package manager to install Duo Unix.</h3></li>
<li><h3>Run the following command in the duo_unix directory, to make Duo Unix:</h3></li>

>./configure --with-pam --prefix=/usr && make && sudo make install
</ol>

<h2><center>Step #4: Configure Duo Unix Software</center></h2>
<ol>
<center><img src="https://www.steemimg.com/images/2016/07/29/configure-duo-unixaeb1b.png" /></center>
<li><h3>Edit the configuration file located at <em>/etc/duo/pam_duo.conf</em> and add the keys from the application you created in the Duo Admin Panel. Also uncomment <em>pushinfo</em>, and set <em>autopush = yes</em> and <em>prompts = 1</em>. Note: the keys above are invalid. Never expose your actual secret key to anyone.</h3></li>
<li><h3>You can reference all of the config options <a href="https://duo.com/docs/duounix#duo-configuration-options">here</a>.</h3></li>
</ol>

<h2><center>Step #5: Set up Duo to work with ssh public key authentication (optional)</center></h2>
<ol>
<li><h3>If you're using ssh to authenticate to your servers, you'll want to take the following steps. Please note, it is always a best practice when configuring ssh to have a separate ssh connection to the server open until you verify this is working, so you don't accidentally get locked out.</h3></li>
<li><h3>Make sure the following options are configured in your <em>/etc/ssh/sshd_config</em> file. If you're using password authentication currently, you'll need to add a public key generated on your local computer to your user's authorized_keys file at <em>~/.ssh/authorized_keys</em> BEFORE turning off PasswordAuthentication.</h3></li>

>PubkeyAuthentication yes
>PasswordAuthentication no
>AuthenticationMethods publickey,keyboard-interactive
>UsePAM yes
>ChallengeResponseAuthentication yes
>UseDNS no

<center><img src="https://www.steemimg.com/images/2016/07/29/restart-ssha65e8.png" /></center>
<h3><center>After the sshd configurations are added, restart sshd.</center></h3>
</ol>
<center><h2>Step #6: Configure PAM with Duo</h2></center>
<ol>
<center><img src="https://www.steemimg.com/images/2016/07/29/open-pam-config5edce.png" /></center>
<li><h3>If you're using ssh, edit the PAM configuration located at <em>/etc/pam.d/sshd</em> to use duo_pam.so, as seen above. Distros other than Ubuntu 16.04 should refer to <a href="https://duo.com/docs/duounix#PAM-examples">this documentation</a> to determine the location of the pam configurations and .so files. If the <em>pam_duo.so</em> file is not located in <em>/lib/security</em>, you'll also need to specify the full path to the file in the PAM configuration file. If you're using passwords, you'll want to edit <em>/etc/pam.d/common-auth</em> instead to configure system-wide authentication. See the commands below for that. Notice that the default configuration (top line) is commented out.</h3></li>

>\# auth  [success=1 default=ignore] pam_unix.so nullok_secure
>auth  requisite pam_unix.so nullok_secure
>auth  [success=1 default=ignore] pam_duo.so
>auth  requisite pam_deny.so
>auth  required pam_permit.so
</ol>
<center><h2>Step #7: Enroll a 2FA Device</h2></center>
<ol>
<center><img src="https://www.steemimg.com/images/2016/07/29/ScreenShot2016-07-29at2.59.17PM92203.png" /></center>
<li><h3>Now, it's time to try it out. Open a separate terminal instance and try to log into your server the way you typically do. You should be prompted to enroll a device in Duo.</h3></li>
<center><img src="https://www.steemimg.com/images/2016/07/29/enroll-confetti85ae6.gif" /></center>
<li><h3>Follow the link, and enroll your Android or iOS device into Duo. You'll need to install the Duo Mobile app from your respective platform's official app store if you do not already have it. Otherwise, if you don't have a smartphone, make sure autopush isn't configured, so that you can use the VoIP or passcode flow instead.</h3></li>
<center><img src="https://www.steemimg.com/images/2016/07/29/ScreenShot2016-07-29at3.10.09PM75398.png" /></center>
<li><h3>Now try it again, this time you should have no problem accessing the service after accepting the Duo Push notification sent to your phone. Make sure you confirm this is working before you drop your remote shell, so you aren't locked out of your server!</h3></li>
</ol>

<h3>Thank you for reading, I hope it was useful! Please leave feedback and don't hesitate to ask me any questions you have in the comment section if you run into a problem.</h3>

<h3>Until next time,</h3>
<img src="https://www.steemimg.com/images/2016/07/29/ScreenShot2016-07-29at11.37.09AMa2d22.png" />

<p>#security #steemit #mining #witnesses #how-to #duo #unix #2FA #linux #ubuntu #debian #centos #sysadmin</p>