Suspicious activity to look for...

[Joe Wood]

I have a FreeBSD 5.4 system setup, and I have read numerous articles on
securing it. For the first few months prior to setting up this system I read
a lot about the little tweaks using sysctl and the like. Now everything is
running good, but I want to know what to look for incase I am missing
something. I, very meticulously, read all the system logs that get emailed
to root and I read all the auth, console logs etc. Except for the occasional
attempt to gain access with random usernames, there is nothing I see to be
worried about. This system is in a very secure DMZ, so even if it was
compromised there is no way it could leak over to the local network. Here
are some of the variables in sysctl.conf:

 

kern.ipc.somaxconn=8192

security.bsd.see_other_uids=0

net.inet.tcp.sendspace=32768

net.inet.tcp.recvspace=32768

net.inet.tcp.blackhole=2

net.inet.udp.blackhole=1

net.inet.ip.random_id=1

net.inet.icmp.icmplim=50

net.inet.icmp.drop_redirect=1

 

auth.conf and login.conf use blf as the crypt instead of md5

 

This system is used for public use, mainly shell accounts and ftp space to
people I know. I know the risk is greater when I introduce public users into
the mix.is there anything I can look for or something I have overlooked as
far as checking for suspicious activity?

 

Thanks for the help!

 

p.s. Sorry for the long email, just trying to be thorough.