Once I have my webserver, I'm not sure how to set up the file groups/permissions in the document root. I think I should create a group "web", add my normal user to "web", and have the files in /whatever/www be owned by root but with the group "web" and setgid the www directory, and generally give html files 765 permissions. Sound reasonable? It's this policy stuff that gets me.
Not familiar with RedHat (been a Debian/Ubuntu guy for a decade) but over on the Debian side the group isn't 'web' it's 'www'. Regardless of the name there's probably one already there. Groups are stored in /etc/group.
File permissions aren't hard over in *nix. As long as you understand octets and binary math. Unix is very user friendly, just picky about its friends.
Every file and directory has four octets (which are like bytes) that define security permissions. They also have an owner and group.
Now, I just said they've got four octets (0755, 4755, 1600 are examples) but we'll ignore the first octet because those are special and rarely used. So we'll just talk about 600, 660 755 type permissions.
The first octet (or byte) denotes the permissions of the OWNER of the file. And you gotta do a little binary math when computing these.
0 bit (value 1) - file can be executed.
1 bit (value 2) - file can be written to.
3 bit (value 4) - file can be read from.
Add them together and that's the permission level.
So 6 (4+2) is reading and writing. 7 (4+2+1) is read, write, execute. 1 is just execute (never seen that used).
The second number is the group access and the third number is "everybody" access.
So, 664 means the owner can read/write, the group can read/write and "everybody" can read.
775 means the owner can read/write/execute, the group can read/write/execute and "everybody" can read/execute the program/script/whatever. This is what you'll want most of your CGI scripts at. 755 is also an acceptable permissions level.
When you ask for an "ls -l" of a file in *nix it'll show you permissions broken down much like the octets that describe it. Basically rwxrwxrwx is the pattern. The first "rwx" describes the owner's read/write/execute permissions, the second for the group, and the last one for "everybody".
When you deal with the fourth octet and setuid/setgid/etc permissions I found it so confusing that I actually once modified GNU fileutils to just output the damned octet value instead of rwSrwsrwt or whatever the frick it does once the upper octet gets changed.
How do I turn off telnet, block all ssh connections but my own workstation, otherwise disable things that might be turned on by default, and otherwise not do stupid things security-wise?
Not familiar with Redhat (been a Debian/Ubuntu guy for a decade) but telnet SHOULD be off by default. Not much need to restrict ssh access by IP. It's sorta built by paranoid whackjobs that have a special place in my heart. If you do want to get slightly restrictive just modify the ssh server config to only allow connection with a key file, not just relying on a password. I can't remember the exact lines need to do this but it's an easy change. I've got an Amazon EC2 VM that runs this way. Not my choice, just how they set it up by default I ran with it.