Quite vast topic. It's better to define some more pronounced direction for discussion, but the presence of this thread is good by itself.
My strategies are:
1) really strong passwords. At least 10 chars with big and small letters + numbers. Any user who actively refuses to obey this, is excluded being possible to login from outside
2) read or at least quickly skim the logs every day
3) before installing any service, I make sure that I really need this. It is worth to put services in DMZs if you have enough free boxes. Good network design to say...
4) frequently make and check the checksums with aide.
5) use sshguard to get rid of ssh login attempts
6) setup firewall with tested enough ruleset
7) whenever I see portaudit complaining about installed package security - I take the time to install it
8) if there are FreeBSD vulnerabilities published - I devote more time and inform the users about planned works.
9) and... the more important changes I am planning to do, I devote even more time to prepare and explore the consequences
10) finally, I use the handwritten journal about any more or less changes done to boxes either in hardware or in software world. It may be boring, but this book-keeping saved me more time in troubleshooting afterwards.
|