I setup a SSH server and a VPN server on a raspberry PI so I can access my home lab from outside of my home network.
The lab is on it’s own subnet and VLAN. I wanted to keep the lab seperate from my main network for security reasons maily because lab is exposed to the internet world.
The rpi that’s exposed, I implemented a few security practices:
- Disabled password login
- Enabled SSH Keys
- Added 2FA authentication
- Installed Fail2Ban
- Changed the SSH port to avoid unneccesary login attempts
How enabled 2FA authentication is by
installing the libpam-google-authenticator package.
I then initialized it with “google-authenticator” command. There’s a guide you can follow the guide on Digital Ocean linked below for a step by step.
The guide is pretty straight forward for the most part.
I had to play around with the config files to get the setup I wanted.
For example, I edited /etc/pam.d/sshd and comment out the decorator @include to prevent being prompted for my password in addition to my SSH key.
. . .
# Standard Un*x authentication.
#@include common-auth
. . .
Lastly, I configured port forwarding on my router at home. With port forwarding I openned a port I choose to point directly to my rpi server’s IP address.
Everything is working and I have an added layer of security using 2FA along with my ssh key.
Next up on the plate is to continue learning python development, DevOps, and learning more.