First post from a semi-new linux user.
I use Ubuntu at work but only for desktop use so im not very experienced with ubuntu server.
Im interested in your views on my setup;

Ubuntu 10.04 LTS
pptp vpn connect which gives a 192.168.X.*-* address
ufw firewall default deny
ssh default port allow from anywhere
(root login disabled, denyhosts running)
pptp default port allowed from anywhere
ftp default port only allow from 192.168.X.*
phpmyadmin default folder only allowed from 192.168.X.*
webmin default port only allowed from 192.168.X.*

whitelist on manager.linode.com
Wordpress installation with SSL on admin login.

I use VPN to connect to ftp, phpmyadmin and webmin/virtualmin

Any other things i should think about?
Thanks .

You may want to change the vpn ip addresses to one of the other private net blocks, linode uses the 192.168 range for their private network, you may find clashes should you ever choose to use it.

I hope your ssh is restricted to public keys not password authentication, having it open to anyone on the default port means you're going to experience brute force attempts.

Do you really need ftp? can't use you sftp (transferring files over ssh), one less bit of software to worry about.

Do you also need phpmyadmin? I find http://wb.mysql.com/ is a better alternative.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

thank you for your reply, i have now changed to private ip 10.0.X.*
i also moved ssh port to non-default. Will generate keys and disable
password login.

About sftp, is that the same as scp?
would i connect to my ssh port with my scp/sftp program?

Will look into your phpmyadmin alternative.

I really appreciate your input

Technically, PPTP VPN is a compromised protocol (and has been for many many years), and only MS still considers it fit to use in VPNs.

Try http://library.linode.com/networking/openvpn/ for vpn

scp/sftp use the same ssh protocol, yes you would connect to your ssh port with the same credentials you use for ssh.

If you're on a mac then cybderduck is a good sftp client, on windows winscp is good, linux just check your repositories.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

i disabled ftp and use sftp using Transmit on my mac, works great!
Will try to upgrade to l2tp from pptp, seems tricky though.

Wouldnt i have to open up mysql port to use your suggested app? Wouldnt that be more unsafe than using a protected phpmyadmin directory? Im not really using phpmyadmin much except for when importing / exporting databases.

Another problem i have now, i have disabled ftp service on my server and "used ufw deny 21" to close ftp port. When running nmap on another computer to my domain name the port still lists as open. How is this possible?

PORT    STATE SERVICE
21/tcp  open  ftp
53/tcp  open  domain
80/tcp  open  http
443/tcp open  http

Do you still have an "allow" rule for port 21? The first rule that matches is applied, so you may need to delete a conflicting rule to actually close the port.

No you don't have to open up mysql to use mysql workbench, you can use a ssh tunnel (which is what I do) all mysql needs to do is listen on 127.0.0.1 which is the default anyway.

Try checking nmap on another machine, if I use nmap on any IP it always say port 21 is open, something weird to do with my ISP (I imagine they filter incoming ftp traffic). Maybe your isp does the same.

If you pop on irc someone there could scan for you.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

You might find this helpful:
viewtopic.php?t=6564&highlight=

No, i have no allow rule for 21. Its weird though. When running nmap from certain networks to my linode it does not show port 21 as open which makes me believe obs is wright in that some ISP is to blame. i cant connect to 21 (even when i have proftpd started at 21). I guess i can drop my concern about this.
Thanks a bunch for all your great replies!