Server Security (was SSH attack)

[Greg Rundlett]

I've got a number of servers at a hosting company that were configured
prior to my becoming responsible for them.  Traditionally, I've used
SSH to do minor editing on servers, but more and more, I've come to
rely on KDE's ability to 'speak' SSH to just browse (Konqueror) files
on remote machines, edit them in an IDE (Quanta Plus).  I use rsync to
publish (actually synchronize) entire directory trees between
development/staging/production areas.

The environment I find myself in now is unlike ones that I'm used to. 
SSH is allowed for some hosts while not for others.  For most host
access, you need to go through a single point of entry (sentry), and
then ssh from there over the local network.  (There is both a
front-end network 10.x.x.x for the hosted machines, and a backend
network 10.y.y.y).  I'm still trying to understand what all this buys
me in terms of security, but from my simple perspective of a
developer, it buys me a large level of complication with no usability.
 I am not really sure what tricks I need to get rsync to go from box C
(desktop) to box B (sentry) to box A (host) because I' ve only gone
from C->A in the past.

MySQL is not allowed for any external connection.  I can't use any
database administration tools on the databases - because I have no
direct access to the database server on any machine, and even
installing a 'client' on the server won't work because I can't ssh -X
to that particular box (and it's not running an X server).

So, (I could easily be opining on things which I do not know enough
about) according to what I know about thwarting script kiddies, and
having good security measures while still providing critical services,
it seems like it would be a 'best practice' approach to open SSHd and
MySQLd to known IP address(es) using stong passwords, and non-standard
ports.  Of course, this presumes having a hardened OS, secured MySQL
server, and updated SSHd.

Maybe it's time to go read that book about secure servers.