In my previous post, I talked about enabling two-factor authentication (2FA) for my public facing Linux host. In today’s post, I will talk about integrating Google Authenticator PAM to FreeRADIUS. As a result, any hosts that are pointed to my RADIUS server will have the 2FA functionality.
In my old blog post, I talked about how to mitigate from persistent SSH brute force attack. While there are several options in mitigating SSH brute force attack, I opted to use the Fail2Ban option at the time. Today, I’ve decided to add another security layer to the host since this is a public facing server. This addition of security layer is based on defense in depth, which is an information assurance concept. As the title says, I will be using Google Authenticator to generate a time-based one-time password (TOTP) for two-step verification.
It seems like two-factor authentication (2FA) is becoming a norm these days. More and more security professionals are pushing organizations to use 2FA for every sensitive systems and application. Understandably so, because the consensus is that password is no longer enough to protect accounts in this day and age. As a result, I’ve also decided to start implementing 2FA in my home devices.
In my old setup, I had three unmanaged switches and all-in-one router (with switch and access point built-in). While they worked fine, I wanted some SMB features – LACP, IEEE 802.1Q, etc. That said, I needed to buy some form of managed switches.
I checked for used Cisco Catalyst 3560CG on eBay but they are still expensive. I also checked for used prices of Cisco SMB products and they are also expensive for my needs. By then, I realized that I should look at other vendors.
I talked about my F5 BIG-IP LTM VE home lab in this post, but I didn’t do a walkthrough on how to configure it after deployment. In this post, you will learn the initial configuration of the BIG-IP LTM virtual appliance.
The BIG-IP LTM VE version that I am using is the 90-day trial version so the wizard may be a little different than the newer version since this is an older version (11.3). The latest release of version 11 is 11.6, but the latest version at the time of writing is 12. I actually took two classes few weeks ago based on version 12 at F5 Networks’ Headquarters in Seattle, WA. The two classes were the following: Administering BIG-IP and Configuring BIG-IP LTM: Local Traffic Manager.
While the 90-day trial is based on
11.3 (F5 has decided to give trial users 13.1.x), the Setup Utility wizard is pretty similar so this guide is still relevant even using the older version of LTM VE. I might buy the lab version but for now this will do the job.
This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!
|03/13/16||My Home Router – EdgeRouter Lite||Quick introduction to EdgeRouter Lite|
|04/09/16||Ubiquiti’s EdgeOS CLI Introduction||EdgeOS CLI Primer|
|05/01/16||How to configure EdgeRouter Lite via CLI – Part 1||EdgeOS configuration guide for CLI junkies|
|12/03/16||Hardening EdgeRouter Lite – Part 1||Basic management hardening|
|12/04/16||Hardening EdgeRouter Lite – Part 2||EdgeOS with two-factor authentication|
|12/05/16||Hardening EdgeRouter Lite – Part 3||Management ACL|
|12/06/16||Hardening EdgeRouter Lite – Part 4||Remote Access VPN with two-factor authentication|