[cobalt-security] My SSH practices

[Ted Behling <TBehling@xxxxxxxxxxxxx>]

As a followup to the recent SSH/root-login thread, I thought I'd share my
RaQ's SSH setup in case somebody else wants to borrow an idea.  These
probably aren't unique practices, but I figure we might just see one fewer
site on the Attrition mirror.

First of all, there are a couple "Locking down a RedHat installation"
documents on the Web.  URLs don't come to mind, but I think they're PDFs.
I read them, and followed a lot of their advice.

The server runs two SSH daemons (same program, different config file).  My
RaQ's hosting provider can use just public-key authentication to SSH to the
normal port, 22.  That's fine, since exactly two people in their
organization have access to the private key.  The second daemon runs on
another port, and requires both a password and public-key authentication.
I used AllowUsers and DenyUsers in the config file to allow logins from
only 'root', and the second daemon allows only my account (not 'admin').  

I have fully disabled both FTP and telnet daemons, in favor of using SFTP
and SSH, respectively.  My only beef with SFTP is that when I upload a
file, it sets its perms to 600, forcing me to do a manual chmod.  This is a
relatively minor issue, and I haven't troubleshot it yet.  I'm running the
commercial SSH daemon from ssh.com, with their Windows SFTP client.
Perhaps I'll look into CuteFTP Pro, as someone else pointed out.

--------------------------------------------------------------------------
Ted Behling, Web Application Developer - Monarch Information Systems, Inc.

43 Folly Field Road, Unit 4, Hilton Head Island, SC 29928-5434
E-mail: mailto:TBehling@xxxxxxxxxxxxx
Phone/Fax: 1-800-842-7894    Local or Outside the USA: 1-843-842-7894
Cell Phone (urgent issues): 843-816-7895
Cell Phone E-mail: mailto:TedPhone@xxxxxxxxxxxxx (116 letter limit)
Web site: http://www.MonarchIS.net
--------------------------------------------------------------------------