James Kosin wrote:
(1) If you don't use SSH outside the company or school, BLOCK it completely. There are several examples of iptable rules and firewall rules for this.
Need the ssh for our vendors to sftp data to us several times a day.
(2) Keep secure passwords. This means nothing easy to guess. "password" and the like are ones to keep away from.
No problem there.
(3) Keep an EYE on your box at all times. Actually most of the time. It looks like you already are.
All parties have static IPs. So only selected IPs (using hosts.deny & hosts.allow) are allowed to access via ssh. Also, ssh is the only service open to the web. All other services are blocked on the hardware firewall as well as being disabled on the OS and IPTables level.
(4) Most distros now ship with disallowing ROOT from directly SSHing into the box. But there are also other safeguards you can do. http://www.openssh.com/
Fedora/RHEL doesn't seem to be among those distros. But thankfully, it is part of our server hardening process.
-- Regards, विवेक ज. पाटणकर (Vivek J. Patankar) Registered Linux User #374218 Fedora release 7 (Moonshine) Linux 2.6.22.1-33.fc7 x86_64 My USB drives automount! :p
