Secure Your Linux Server with Google Authenticator Two-Factor Authentication: A Complete Guide

This guide walks you through installing PAM modules, generating Google Authenticator codes, configuring SSH and sudo for two-factor authentication, setting up Fail2ban to block brute-force attempts, and recovering from lockouts, providing all commands and configuration steps for a hardened Linux server.

Open Source Linux
Open Source Linux
Open Source Linux
Secure Your Linux Server with Google Authenticator Two-Factor Authentication: A Complete Guide

Two-factor authentication (2FA) is a widely used security measure that adds a one‑time verification code to the login process, effectively preventing account compromise even if passwords are leaked.

1 Install PAM module

# Sync time with NTP server
ntpdate pool.ntp.org

# Ubuntu
sudo apt install -y libpam-google-authenticator

# CentOS 7
yum install -y epel-release
yum install -y google-authenticator

2 Generate 2FA code

# Generate the secret and QR code (run as the user that needs 2FA)
# -t: use TOTP
# -f: save config to ~/.google_authenticator
# -d: disallow reuse of previous tokens
# -w 3: allow clock skew of 3 seconds
# -e 10: generate 10 emergency backup codes
# -r 3 -R 30: rate limit – 3 attempts per 30 seconds
google-authenticator -t -f -d -w 3 -e 10 -r 3 -R 30

Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/vagrant@vagrant?secret=KZ7QPA11115XTQJQGBFWAIUJBY&issuer=vagrant

Your new secret key is: KZ7xxx7EI5123xxx123
Your verification code is: 90xx71
Your emergency scratch codes are:
1571xx03
9968xx56
2319xx89
8321xx97
9730xx15
3424xx23
5667xx03
9408xx86
7502xx41
4677xx14

3 Configure SSH to enable 2FA

# Edit PAM configuration for SSH
sudo vim /etc/pam.d/sshd
# Add the following line (disable password auth)
auth required pam_google_authenticator.so

# Edit SSH daemon configuration
sudo vim /etc/ssh/sshd_config
Port 1090
ChallengeResponseAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive

# Restart SSH service
sudo systemctl restart ssh.service

4 Configure sudo to require 2FA

# Edit common authentication PAM file
sudo vim /etc/pam.d/common-auth
auth required pam_google_authenticator.so

# Restart SSH (to apply changes)
sudo systemctl restart ssh.service

5 Install Google Authenticator on your phone

1. Scan the QR code generated in step 2 with the Google Authenticator app.
2. Use the app to obtain the dynamic verification code each time you log in to the server.

6 Use Fail2ban to block repeated password attempts

# Install Fail2ban
sudo apt install -y fail2ban

# Create/modify jail.local
vim /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime  = 86400
findtime = 600
maxretry = 5
banaction = firewallcmd-ipset
action = %(action_mwl)s

[sshd]
enabled = true
filter  = sshd
port    = 1090
action  = %(action_mwl)s
logpath = /var/log/secure

# Restart Fail2ban service
systemctl restart fail2ban

7 Recover from 2FA lockout

# Disable 2FA for a specific user (if the authenticator app is unavailable)
sudo vim /etc/ssh/sshd_config
# Change authentication methods back to publickey only
AuthenticationMethods publickey,keyboard-interactive
AuthenticationMethods publickey

# Restart SSH service
sudo systemctl restart ssh.service
Two-Factor AuthenticationpamGoogle AuthenticatorFail2Ban
Open Source Linux
Written by

Open Source Linux

Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.