As we all know, prevention, detection and response are our three main lines of defence against threats, with a good administrator putting most focus on prevention. As the old adage goes, "an ounce of prevention is worth a pound of cure" - a 1:16 ratio for the metrically inclined - but there's always going to be the odd occasion where prevention fails, either through a lack of time or a mistake in one's security procedure. In this article we describe a few hardening and alerting methods for Unix servers that help block vectors for various attacks, including two web-based application attacks and the brute-forcing of SSH passwords. The article then looks at what an administrator should do post-compromise. These incidents have been drawn from both honeypots and real systems.

Today, devices such as stateful firewalls are common and people are paying more attention to vendor patches. This correlates with a trend of more attacks being carried out at the application level. For example, we are seing more and more instances of SQL injection, SSH password guessing, cross-site scripting attacks and leveraging browser flaws. For the purposes of this article, we assume the reader has a reasonable firewall configuration and that he makes an effort to keep up with OS and application patches; if not, this is an area to fix this first. We all benefit from applying a defence-in-depth strategy - ideally a network should still be secure even if any single security measure fails.

The link for this article located at SecurityFocus.com is no longer available.