3. Secure Login Server
In order to secure our other servers, we created a login server using our hardened Ubuntu template. We set up firewalls on our other servers so that only the login server could be accessed via ssh from outside machines.
Setting this up caused us to need to login three times. This was a large pain. There is a way to make a script which helps with the login process. We found some online. You just need to use ‘ssh-keygen’ to generate keys, and copy them to the server. However, we did not setup the scripts on all of our machines. As far as automated ways to login, we did not find any good ways to set this up, and now that I think about it, it would probably defeat the purpose of the login server if there was.
Only use password is not safe. SSH uses passwords for authentication by default, and most SSH hardening instructions recommend using an SSH key instead. However, this is still only a single factor. If a bad actor has compromised your computer, then they can use your key to compromise your servers as well. We set up Multi-Factor Authentication for SSH. When user enter the right password. They need enter another six- to eight-digit one-time password. This extra password is generated via a mobile device. This means a bad actor would have to compromise multiple devices, like both your computer and your phone, to get in. Also, different user have different authentication to be safe.