Previous: Set up workload firewalls
Configure multi-factor network authentication
Multi-Factor Network Authentication (GhostPorts)
Halo Multi-Factor Network Authentication using GhostPorts is the most secure way to control access to services on your servers. It helps to eliminate the worry of attackers continually scanning your servers for open ports and attempting brute-force logins to those services. When Multi-Factor Network Authentication is enabled, the protected ports are invisible to attackers scanning your network.
When an administrator authenticates to GhostPorts to gain secure access to a server, the administrative ports to the server are open only for a limited amount of time, and only for access from the administrator's current IP address. Potentially malicious users attempting to access the server at the same time are denied.
Multi-Factor Network Authentication requires both Halo login credentials and a second factor, involving a one-time password either transmitted by SMS text message to a mobile phone or generated by a hardware device inserted into the administrator's computer.
To activate this targeted access, a Halo root administrator enables GhostPorts access for one or more users, and sets up firewall policies that include rules for those users. The rules determine the specific services and ports to be opened for each GhostPorts user's access.
Authentication for GhostPorts users is a simple process. The user logs into the Halo portal and authenticates to GhostPorts on the Open GhostPorts page, using either a hardware device or an SMS code. In response, the Halo analytics engine temporarily opens the required ports on the required server for access from that user's machine. The user then connects to the server outside of Halo, for example through SSH or RDP.
Halo multi-factor network authentication provides strong protection when administrators or other users access any of your Linux or Windows servers. With multi-factor network authentication, a server administrator can have authorized, secure access from anywhere.
Multi-factor network authentication uses an SMS code transmitted to your mobile phone, or a USB device called a YubiKey® from Yubico. You can order the keys directly from Yubico.
Before you can enable multi-factor network authentication (called GhostPorts in the Halo portal) for a user, you must either know the user's mobile phone number, or obtain a YubiKey for him or her. Then use Halo to invite the user to become a GhostPorts user.
A. Invite GhostPorts users
- In the Halo portal, select Site Administration from the main menu [ ]. If the Users screen does not appear, click the Users view button.
- Create a new user or edit an existing user.
To set up an existing Halo user for GhostPorts, click the user's name in the list and edit the User Details sidebar:
To set up a new user, choose New > User.
- Specify access rights on the New User screen or User Details sidebar:
- (For new user only) Fill in the required information about the user.
- Select the user's group and role(s).
- Set up the authentication methods:
For SMS authentication:
- In the SMS Phone Number field, enter the telephone number at which the user will receive the SMS authentication codes. It must be a valid mobile phone account with text messaging enabled.
- Click Save. The user receives an email invitation to use GhostPorts.
For YubiKey authentication:
- Place the user's YubiKey into a USB port on your computer. Place your cursor into the User YubiKey field. Initiate the YubiKey by lightly touching the top circle with the green centered light. The YubiKey key will enter its complete key value into the field.
- Click Save. You will notice a portion of the key value disappear. The first twelve characters of the key value will remain displayed in the key field. The user receives an email invitation to use GhostPorts.
- If you are creating a new user, click Add user. If you are editing an existing user, click Save.
B. Authorize server access for GhostPorts users
- Navigate to Policies or to Policies > Policies List, filter for firewall policies if necessary, and click the name of the firewall policy used by the server group that your server administrator needs access to.
On the Policy Details sidebar, click Edit Policy Rules.
- On the Edit Firewall Policy page, create a new Inbound rule with these settings:
- Interface (Linux only): Enter the hardware port to be protected (such as that used for SSH).
- Source: Under GhostPorts Users, select the name of the GhostPorts user.
- Service: Enter the service to be protected (such as "SSH" for Linux, "RDP" for Windows).
- Conn. State(s) (Linux only): "ANY"
- Action: "ACCEPT"
- Click Save to update the policy.
Now only that user can access the server for the protected purpose (such as administration), and only for a limited time immediately after logging into GhostPorts.
C. Use multi-factor network authentication to connect to a server
- Prepare for authentication (do this only once):
- For SMS authentication: Log into the Halo portal and follow the instructions to verify your authentication phone number. For detailed instructions, see Verify Your Phone Number (for SMS Authentication).
- For YubiKey authentication: Obtain your activated YubiKey device from your administrator.
- Log into the Halo portal and go to the Open GhostPorts page.
- Authenticate to GhostPorts:
For SMS authentication—
- Click Send Authentication Code to instruct Halo to send the one-time password to your phone.
- When you receive the code on your phone, enter it into the Authentication Code field on the GhostPorts page, then click Submit.
Within a few minutes, the protected ports on your server will be open for a brief time for connections from this computer.
For YubiKey authentication—
- Place your YubiKey into the USB port on your computer, then place your cursor in the blank field on the GhostPorts login page.
- Lightly touch the top of the key on the green-centered light for about one second. Do not press any other key on your keyboard.
The YubiKey transfers its key value into the field. Within a few minutes, the protected ports on your server will be open for a brief time for connections from this computer.
After you have authenticated successfully, the GhostPorts page displays the following:
- From the same computer, open an SSH session (Linux) or launch RDP (Windows), and log into your cloud server as you normally do.
GhostPorts will automatically close the protected ports after four hours.
// <![CDATA[ var pdfTitle="Halo QuickStart and Tour"; var pdfURL="http://res.cloudinary.com/ljufltxil/image/upload/document_images/quickstart2/halo-quickstart-and-tour.pdf"; specifyPDF(pdfTitle, pdfURL); // ]]>