Securing a server
We have a group of servers that sit behind a firewall, if you can call it that, and are only accessed after a port knock to a firewall server. These servers are also accessible from two servers in a remote dc without portknocking.
In our hosts.allow file we have an entry for sshd to be accessed by all. sshd: ALL. I have read in a few places that even behind a firewall, this is not safe, that this entry should be in the hosts.deny file to deny all by default and then in the hosts.allow file have an entry sshd: xxx.xxx.xxx.0/nm to allow access to any service in a particular IP block.
Is this something that can be considered as a "best practice" step, is it un-nesessary,etc... Im hoping someone can give me some good advice on whether this should be done.
Yes, it is the sort of thing you want to do. The general process with firewalling or service denial for security is that you deny everything first, then allow specifically the access you want, and keep the range of what you allow it to as narrow as you can.
I would switch to ssh-key _ONLY_ logins (disable PasswordAuthentication completely) and install fail2ban (or some other ssh blacklister.)
ssh-keys do take a little bit more time and effort to set up and require that your users have half a clue, but they're more secure (and I think easier to use in the long run.)
fail2ban just scans your logs for failed login attempts and uses iptables to ban anyone that fails 3-5 times in quick succession (like a minute or something.) its configurable, but I've had no problems with the Debian default settings. its actually pretty fun to browse my logs. 5 failed auths... 10 minutes... 5 failed auths... then nothing.
doing both these things will make almost every SSH attack just bounce off you. of course, using ALLOW rules is _definitely_ a better idea, but I think its impractical for most situations.