The other really useful article I came upon when I was investigating a possible break into our servers was this one and this one, explaining how with the use of the ‘chattr’ command you can make files which are ‘immutable’ (can’t be modified by anyone, including root) or files which are append-only. The append-only would be brilliant for logs, meaning that a person breaking into your machine couldn’t just go and modify the logs to cover their tracks. However, this assumes that the person would not have gotten root access, otherwise they could just set the file to ‘not-append-only’ change the file and then make it look like it hadn’t been modified. Also, these tricks apparently only work with ext2/3, so anyone using other file systems is out of luck.
I just found this really useful site ‘Ubuntu Server Guide‘. It gives a nice general overview of how to set up and configure most of the main uses of your Ubuntu server. There’s a few gems in there, like a really useful little package called etckeeper, which is basically a version control system for your ‘/etc’ directory, meaning that you always have backups of your configuration and that you can tell exactly when changes to the config were made and by who. The seems like such a simple, yet brilliant idea, I can’t believe the package isn’t standard on any distro. It reminds me of Sun’s (now Oracle’s) ZFS and it’s ability to take snapshots and to be able to ‘roll-back’.