How to install Two Factor Authentication for ClearOS

Within a few minutes of your ClearOS instance being on a public IP, there will be a flood of attempts to compromise it. So you should use a very strong password. Even better is to set up Two Factor Authentication.

Two-factor authentication (2FA) for Webconfig strengthens access security by requiring two methods to verify a user's identity. Before granting access to resources available via Webconfig, a user will be sent a random code after their username and password credentials have been verified. Failure to provide the correct code within a pre-determined window of time will result in access denial. 2FA for Webconfig can be enabled for root login or any user account.

This protects the ClearOS admin panel (Webconfig). Once you are logged in, you can use the Dynamic Firewall to temporarily permit access to other apps (SSH, VPN, etc)


From the Marketplace

Install from web interface (in the System section), like all the other apps.


2FA for Webconfig on a ClearOS 7
yum --enablerepo=clearos-updates-testing,clearos-contribs-testing install app-two-factor-auth

Once installed, find the relevant admin panel and configure for your needs.

The information about the configuration is at /etc/clearos/two_factor_auth.conf (useful if you can't log in via the ClearOS admin panel because you are not receiving the emails)

Sending to more than one email

If you need to add more than one email address (which is typical for the root account, just create a redirect ( rootmfa at example.org -> joe at example.org and jane at example.org and use mail forwarding.

About SMS text messages

You can also forward emails to SMS but be aware that SMS-based two-step verification is no longer recommended by NIST