Are you using SSH in the best way possible? Have you configured it to be as limited and secure as possible? The goal of this document is to kick in the new year with some best practices for SSH: why you should use them, how to set them up, and how to verify that they are in place. All of the examples below assume that you are using EnGarde Secure Linux but any modern Linux distribution will do just fine since, as far as I know, everybody ships OpenSSH.

FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. This article explains how to set up ProFTPd with TLS on a Debian Etch server.

This document describes how to set up a chrooted SSH/SFTP environment on Fedora 7. The chrooted users will be jailed in a specific directory where they cannot break out. They will be able to access their jail via SSH and SFTP.

In this article I will show how to install and configure fail2ban on an OpenSUSE 10.3 system. Fail2ban is a tool that observes login attempts to various services, e.g. SSH, FTP, SMTP, Apache, etc., and if it finds failed login attempts again and again from the same IP address or host, fail2ban stops further login attempts from that IP address/host by blocking it with an iptables firewall rule.

In this article I will show how to install and configure BlockHosts on a Debian Etch system. BlockHosts is a Python tool that observes login attempts to various services, e.g. SSH, FTP, etc., and if it finds failed login attempts again and again from the same IP address or host, it stops further login attempts from that IP address/host. By default, BlockHosts supports services that use TCP_WRAPPERS, such as SSH, i.e. services, that use /etc/hosts.allow or /etc/hosts.deny, but it can also block other services using iproute or iptables.

This tutorial shows how you can install and use F-PROT Antivirus on an Ubuntu Feisty Fawn desktop. Although there are not many Linux viruses out there, this can be useful if you often exchange files with Windows users - it can help you to not pass on any Windows viruses (that do not do any harm to Linux systems) to Windows users. F-PROT Antivirus for Linux is free for home use.

This tutorial shows how to install MySecureShell on a Debian Etch system. MySecureShell is an SFTP server that is based on OpenSSH and can be configured in many ways, e.g. it has support for chrooting users into their homedirs or for limiting upload-/download bandwidths. MySecureShell makes SFTP available for users that do not have shell access so that these users do not have to use the insecure FTP protocol anymore.

This tutorial describes two ways how to give users chrooted SSH access. With this setup, you can give your users shell access without having to fear that they can see your whole system. Your users will be jailed in a specific directory which they will not be able to break out of. The users will also be able to use SFTP in their chroot jails.

This tutorial shows how to harden PHP5 with Suhosin on a CentOS 5.0 server. From the Suhosin project page: "Suhosin is an advanced protection system for PHP installations that was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections."

This tutorial shows how to harden PHP5 with Suhosin on a Fedora 7 server. From the Suhosin project page: "Suhosin is an advanced protection system for PHP installations that was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections."