Any other all-around good practices that you can recommend? I'm not really sure how to go about locking down a production server to a sane degree, and there's a lot of bad information out there when it comes to security.
* Run Denyhosts, to block IP addresses that have too many repeated failed login attempts.
* Use Jumphosts (AKA Bastions). One (or a few) servers that listen to ssh from the open Internet and have no private keys stored on them (use key forwarding). All other servers only listen to ssh from an internal network interface the Jumphosts are also on, or from the Jumphosts IP address directly.
sshd is equally susceptible, where ever you run it, sure.
With jumphosts, though, you can run denyhosts, redirect to tarpits, or other clever things, and not effect performance on your other servers.
I think the motivation to use jumphosts is to minimize the surface area of your other servers as much as possible. Each daemon on each server listening for incoming connections is a liability. If an sshd exploit is found (unlikely as that is), bots that mass scan and find my ssh ports and connect won't be able to delete any production files (right away, at least) if all they gain access to is my jumphost and not one of the prod db servers.
Thanks. I didn't consider that the mere act of having sshd deny attempts is a performance cost. I guess one could potentially dos a server by flooding the sshd with bogus attempts?
well, sshd denying requests isn't a performance cost, in itself.
But having a script like denyhosts or fail2ban that analyzes auth logs for IPs to block requires memory for the interpreter running the script, as well as however much of the log gets read into memory.
Blocking external ssh connections can avoid that performance hit, however large or small it ends up being.
