Falco does a great job over at HowToForge, doesn’t he? I’ve used his “How-To’s” many times myself.
Another good one with a lot of OpenSUSE-specific info is by one of this forum’s regulars, Swerdna. Linux HOWTOs and Tutorials: Suse Linux 10.0, 10.1 openSUSE 10.2, 10.3, 11.0, 11.1
To protect against threats from inside my home network I have edited /etc/ssh/sshd_config to ensure only Protocol 2 is enabled, established a Public/Private key that requires a passcode to remotely log in, disabled root login, set PasswordAuthentication to no, limited MaxAuthTries to 3, and in /etc/hosts.allow limited the allowed hosts to one PC (mine) and added a deny all line as well.
That sounds pretty darned secure to me.
My concern is regarding external web based threats since this will eventually be a web server. I have no intention, or foreseeable need, to log in remotely via SSH from outside my home network; thus will not forwarding the SSH port being used from my Router to the server box coupled with the already noted settings be sufficient to prevent SSH intrusion? I thought about changing the port but since I’m not even forwarding that port in my Router to connect from the web would it really be of any benefit to change the port?
In this case, since you don’t plan to expose the server to the Web via your router (I assume you’re talking about a “NAT” or “Port Forward” setting in the router that would send incoming packets to the server?), you should be fine.
However … I will say this. This is just my opinion, so take it for what it’s worth:
For publicly-exposed servers, I do change the ports whenever possible. That’s not always practical with a Web or mail server, obviously, because clients will expect to see those on the standard ports (25, 80, et. al.). But I DO change the ports on servers that should have very limited access.
Perfect example: we are required to expose VNC for some of our support services. When it was on the standard 5900-5910 port number(s), we were CONSTANTLY getting hammered by script kiddies. These kids use automated search bots to find common, open ports, and if you look intriguing enough, they’ll start trying to guess your password. I don’t care how good that password is, either, eventually, one of them could get lucky.
When we changed that to a non-standard port number (and notified our support people of the change, of course), our attacks dropped to zero. Nada. Zilch. So, it DOES make a difference to change ports in practice.
There’s a difference between theory and practice. In theory, there’s no way to truly secure your home against a thief. In practice, if you just keep a low profile (ie, “change the port”) and make it difficult enough to enter (ie, “use a good password”), the thief will normally give up and move on to the next home (he’ll skip you and try someone else!).
Likewise, while in theory, someone could still attack you if you don’t use port 22 for SSH, the odds drop dramatically. The cracker has only a 1 in 65535 chance of guessing the port number. He could run a “brute force” NMAP scan for open ports, but he’s only going to do that if he thinks you’re worth the bother, because a full-blown NMAP scan can take HOURS. Unless you are so intriguing and/or offer rewards that make such an effort worth it, he won’t even bother. His script will try port 22, if it sees no immediate response, it’ll move to the next IP address.
Theory vs. practice. I go with practice every time.
And no, given what you described, I can’t think of anyway to make your SSH more secure. Now, when you install the Web server, just use common sense: use the latest version of Apache, keep it updated, etc., etc. But you’re smart enough to know that.