This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!
|03/13/16||My Home Router – EdgeRouter Lite||Quick introduction to EdgeRouter Lite|
|04/09/16||Ubiquiti’s EdgeOS CLI Introduction||EdgeOS CLI Primer|
|05/01/16||How to configure EdgeRouter Lite via CLI – Part 1||EdgeOS configuration guide for CLI junkies|
|05/01/16||How to configure EdgeRouter Lite via CLI – Part 2||EdgeOS configuration guide for CLI junkies|
|12/03/16||Hardening EdgeRouter Lite – Part 1||Basic management hardening|
|12/05/16||Hardening EdgeRouter Lite – Part 3||Management ACL|
|12/06/16||Hardening EdgeRouter Lite – Part 4||Remote Access VPN with two-factor authentication|
In the first part of this EdgeRouter Lite series, I made changes to improve security of the management plane. In this post, I am going to give an alternative to people who do not like or want to use public-key authentication. This means we stick with the password-based authentication but with an additional factor of authentication.
The use of two-factor authentication (2FA) or multi-factor authentication (MFA) has gained popularity in the past several years. This is because password-based authentication is no longer considered secure today. In fact, there are many organizations today that are deploying or have recently deployed 2FA or MFA to their systems.
What makes 2FA or MFA more secure than the usual username and password combination? One common behavior of users is to use the same password across all their accounts. This behavior is a bad thing because it only takes one system to get compromised for malicious users to gain access to other accounts. With 2FA or MFA, even if the user used the same password, the malicious user won’t be able to gain access to other accounts without the other factor of authentication.
The three common factors of authentication are something you know (e.g. password), something you have (e.g. smartphone), and something you are (e.g. biometrics). In this post, we’re going to combine both something you know and something you have factors of authentication that will work with the EdgeRouter family. Though, all the methods discussed here have limitations. Hopefully, Ubiquiti will make changes in their future firmware releases that remove these limitations.
If for whatever reason, you chose not to use public key authentication, then we have other methods on how to secure password-based authentication. Though, both of them have limitations so pick one that you feel comfortable with.
This method is good for people who are not running RADIUS with 2FA and have no plans for the foreseeable future. One of the disadvantages of this method is that it will only work for SSH authentication. Managing the router via Web UI will need to use the local account without the time-based one-time password (TOTP). This is not a problem with CLI junkies, though.
Another disadvantage is that it will not survive a firmware upgrade. That said, you will have to redo part of the work to get the functionality back. Though, you might be able to restore the packages by creating a script using this method. The ~/.google_authenticator file(s) will need to be backed up as well.
The first step is to run as root.
The second step is optional. This package will prompt you a QR code once you generate Google Authenticator (GA) secret key. Just like the one here. This package makes it convenient for the users since scanning QR code is faster than typing. If you do not want to install the package, you just enter the secret key on your GA app manually.
sudo apt-get install libqrencode3
The third step is to download the Google Authenticator package.
The fourth step is to install the package.
dpkg -i libpam-google-authenticator_20160607-2_mips.deb
The fifth step is to stop being a root.
The next step is to generate the secret key. Please follow this guide on how to do that. Go directly to the Generating Google Authenticator Secret Key section.
The last step is to edit PAM for SSH. We need to instruct the pam_ssh module to use Google Authenticator PAM when a user logs in. Use the same guide as above and scroll down to Configuring SSH PAM section.
The previous section demonstrated the unofficial way of enabling 2FA. I say unofficial because users are required to redo the work after firmware upgrade. While unofficial, it is still an effective way of adding another factor of authentication; thus, increasing security. In this section, I am going to show you on how to set up EdgeRouter family in using RADIUS with 2FA functionality.
The advantage of using this method is that we stay within the EdgeOS environment; thus, no redo of work after the firmware upgrade. Another advantage of this method is that it can be used for Web UI as well.
The disadvantage of this method is that local account may be used. Meaning, users may bypass the 2FA altogether. Hopefully, Ubiquiti has plans to add a command that will disable local account usage when RADIUS is up and running. For now, I suggest in using a secure password and store it in a password manager app and use it only during an emergency, like when RADIUS is down. You might also want to change the local account password periodically.
The EdgeOS requires having an existing local account that matches your RADIUS server. Without the local user account, it will never work. As far as I can tell, this annoying feature has been in EdgeOS for several years now. Ubiquiti developers still have no plans on changing this anytime soon, which is unfortunate.
If you do not have RADIUS server and would like to have one, then visit my blog post where I talked about FreeRADIUS with 2FA. Since I have two FreeRADIUS servers already, it was a no-brainer for me to point the EdgeRouter Lite to it. Without further delay, below are the commands to use to point the router to RADIUS server.
set system login radius-server 192.168.200.100 port 1812
set system login radius-server 192.168.200.100 secret supersecretkeyhere
set system login radius-server 192.168.200.200 port 1812
set system login radius-server 192.168.200.200 secret supersecretkeyhere
Last step is to commit & save the configuration. Issue commit;save command.
Try to connect to the router using SSH without logging out your current session. This is to make sure that you have access to the router for when something goes wrong. Remember, the password format is password + TOTP.
The methods discussed here are not perfect but improves the network security of the network infrastructure. Remember we are dealing with a relatively inexpensive gear with enterprise features, so expect some compromises.
My recommendation is to use the public key authentication method. If you are concerned about machines with public keys getting compromised, then I suggest in using a management ACL. This ACL will restrict IP addresses which are allowed to access the router. The next blog post will talk about on how to create a management ACL.
NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.