Hi.

I have a requirement to expose a linux development machine (fairly briefly) to the internet at large, so a remote colleague can log into it to do some work. It is running the latest version of Mint. Can someone with more practical experience than I have about linux security suggest how I configure it for minimum risk of someone unwanted violating the poor thing?

pca

Keep it behind the firewall and only forward the required port(s) for a start.

Are you looking to give just SSH access? If so you can basically tunnel anything/everything else over that SSH - so just make sure that's secure and up to date and you should be fine.

A brief expose should be fine since the machine is up to date. As Shonky indicated, make sure SSH is configured well. Ensure /etc/sshd_config has root logins off (most distros do this, can't speak for Mint). You can go further and require keys only. Or change the port from the default 22 to something else for a little security via obscurity.

My VPS sees a number of SSH attempts daily. It's set up to block the IP with the firewall if a few bad attempts are seen. Outside that, most attempts to get in are via Apache and various known insecure PHP scripts.

Run:
netstat -lnutp
as root.

It shows you what processes are listening on what ports and you need to ensure odd things like NFS aren't setup/listening.

Feel free to paste here if you like

Assuming you have easy console access or reliable user/sudo access:

Also - you should ensure /etc/ssh/sshd_config has
PermitRootLogin No

Ideally as drakino says, also set:
PasswordAuthentication No
and make sure your colleague uses an ssh key to get in.
(reboot or restart sshd to make them take effect)

Too complex. In Real Life, PCA/friend will use a password for login.

So here's what you do:
1. Ensure all userid's on the to-be-exposed-box (TBEB) have passwords, with a mix of letters/numbers at a minimum.

2. Ensure the openssh-server package is installed.

3. Open a terminal window on the TBEB and try to ssh to itself, to prove it works locally.

4. Visit the router/firewall web gui, and set it to port-forward external port number xxxx to internal port 22 on the TBEB. Use a different port for xxxx (not 22, it gets attacked routinely).

Eg. try 555 instead (I just banged my fingers on the keyboard for that one.. pick an ugly number that doesn't appear in the /etc/services file.

If you want to leave it open longer than just a few days, then email me for help setting up a "door knocker" to conceal the port even better.

Cheers