Shulou(Shulou.com)06/02 Report--

Background

When the Linux server connects remotely through ssh, if the user name + password authentication method is used, in case the password is leaked or the password is cracked by li, the security of the server will not be guaranteed. As a result, Google's dynamic authentication password can be used to add another security door to the server. At this point, even if the user's password is compromised, it is impossible to log on to the server without a dynamic authentication password.

Environment

OS:CentOS7

Software package: google-authenticator.x86_64

An Android phone (a meter)

Download and use Google dynamic password from Baidu

Operation steps

1. One-click installation script

# install epelyum install-y epel-release.noarch & > / dev/nullyum makecache & > / dev/null# install google authenticatoryum install-y google-authenticator.x86_64 & > / dev/nullecho-e "\ 033 [31mDo you want me to update your" / root/.google_authenticator "file? (YPO) y "echo-e"\ 033 [31m] do you want me to update your "/ root/.google_authenticator" file (YPO)? \ 033 [0m "echo-e"\ 033 [31mDo you want to disallow multiple uses of the same authentication "echo-e"\ 033 [31mtoken? This restricts you to one login about every 30s, but it increases "echo-e"\ 033 [31myour chances to notice or even prevent man-in-the-middle attacks (yzone) y "echo-e"\ 033 [31m do you want to prohibit the use of the same authentication token multiple times? This limits the time you log in to about 30 seconds per login, but it increases the likelihood of finding or even preventing middlemen from attacking ji.\ 033 [0m "echo-e"\ 033 [31mBy default, a new token is generated every 30 seconds by the mobile app. "echo-e"\ 033 [31mIn order to compensate for possible time-skew between the client and the server, "echo-e"\ 033 [31mwe allow an extra token before and after the current time. This allows for a "echo-e"\ 033 [31mtime skew of up to 30 seconds between authentication server and client. If you "echo-e"\ 033 [31mexperience problems with poor time synchronization, you can increase the window "echo-e"\ 033 [31mfrom its default size of 3 permitted codes (one previous code, the current "echo-e"\ 033 [31mcode, the next code) to 17 permitted codes (the 8 previous codes, the current "echo-e"\ 033 [31mcode, and the 8 next codes). This will permit for a time skew of up to 4 minutes "echo-e"\ 033 [31mbetween client and server. "echo-e"\ 033 [31mDo you want to do so? (YBO) y "echo-e"\ 033 [31m by default, tokens remain valid for 30 seconds; to compensate for the possible lag between client and server,\ 033 [0m "echo-e"\ 033 [31m we allow an additional token around the current time. If you have problems with time synchronization, you can increase the window from the default 3 passable CAPTCHA to 17 passable CAPTCHA,\ 033 [0m "echo-e"\ 033 [31m] which will allow the time difference between the client and the server to increase to 4 minutes. Do you want to do this?\ 033 [0m "echo-e"\ 033 [31mIf the computer that you are logging into isn't hardened against brute-force "echo-e"\ 033 [31mlogin attempts, you can enable rate-limiting for the authentication module. "echo-e"\ 033 [31mBy default, this limits attackers to no more than 3 login attempts every 30s. "echo-e"\ 033 [31mDo you want to enable rate-limiting? (YBO) y "echo-e"\ 033 [31m if the computer on which you are logged in is not hardened to prevent login attempts using brute force, the authentication module\ 033 [0m "echo-e"\ 033 [31m) can be enabled to limit the number of attempts. By default, this limits ji attackers to only three attempts to log in every 30 seconds. Do you want to enable the limit on the number of attempts?\ 033 [0m "echo-e"\ 033 [32m search Google Authenticator in App Store for App installation\ 033 [0m "expect

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.