SSH

On the client machine(s), generate a new key

ssh-keygen -t rsa -b 4096

Copy it to the server

ssh-copy-id username@192.168.x.x

Securing SSH

sudo vim /etc/ssh/sshd_config

Change the default port

Port 2222

Disable root login

PermitRootLogin no

Disable password authentication

PasswordAuthentication no

Disable empty password

PermitEmptyPasswords no

Limit failed attempts

MaxAuthTries 3

Allow specific users only

AllowUsers user@192.168.1.*

Restart SSH

sudo systemctl restart ssh

Install Google Authenticator PAM

sudo apt install libpam-google-authenticator -y

Execute and follow the on-screen instructions

google-authenticator

sudo vim /etc/pam.d/sshd

auth required pam_google_authenticator.so

sudo vim /etc/ssh/sshd_config

ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

Validate SSH configuration

sudo sshd -t