I am currently setting up a RedHat Linux box for an intranet application. It's access to the outside world will be: 1) remote system administration by myself, 2) ftp'ing application programs to the intranet web server (again by myself), 3) testing the intranet application (myself), and 4) "getting/putting a couple of data files (using ftp) from a "safe" internet site every night. What kind of security am I looking at? Since I am not hosting a web site for external users, can I get away with less security and still not get hacked? I really don't wish to become a Linux/Internet security expert and spending hours administering security and hack threats. Any ideas? Thanks!

Linux is powerfull.
With power comes responsability.
plz explain to me (like Im 4yrs old)
where "less security" differs from no security at all?

okay, okay, i stand corrected. i was just wishfully thinking of a world where my system, not being a "public" web site and only providing access to a single known remote user (me) could avoid some of the security setup and maintenance. i need to have the host system available only via dialup access and only by me. i plan on using SSH-2 for remote administration and SCP for transferring files. i'll be using Apache/Tomcat for web/java serving. thus, i'll need to provide HTTP access as well in order to remotely test the intranet application. i have come across a ton of online material as to what i need to do in order to "defend" the system. i realize that once proving any outside access, you just gotta do the work and protect yourself. thanks for the reminder.

no.
its the other way around.
thank -u- for not dodging ure responsabilities.
unfortunately too many ppl still do.

I'd _really_ re-eveluate using ftp. I trust there is some kind of firewall in your solution as well. A few hours (maybe more) with ipchains or even good canned scripts would be a wise investment. Not letting anything but the most crucial ports to the outside world would be a good starting point. ie: ssh and nothing else. That should buy you some extra time to get comfortable with your firewall ruleset bfore you have to open up http/https and (yikes) domain (named).

As already pointed out by unSpawn, thank you in adavnce for your valid concerns and honest questions. Now go ye forth and fortify. Then ask more questions. After that ask more questions. In short - lay low and let the other guy get rooted.

I wish I would have found this place a long time ago.

Again - submitting reply without previewing...
mc9

Just to build on your comments Ekromps.
"Since I am not hosting a web site for external users, can I get away with less security and still not get hacked"

No, but you can get away with more security or by creating a PKI for your network.

As it sounds to me, your on the internet and you want to access your system over the internet but like an intranet website.

Simple:
You put up a statefull firewall and a VPN gateway to your computer. "which must also have a statefull firewall running.

Then you don't need to secure FTP or the HTTP as it's a virtual private network using the internet as a long cable.
Once it's up little or no maintenance is needed.

This is the model for most B2B implementations, who don't want to invest time and money into 24/7 security cover.

However I would like to point out that if your connect to the internet then nothing is 100% secure, but you can most definitely stop 99.999% of hackers getting in.

/Raz