[jaequery]

these days, we use set of pre-built commercial scripts to harden servers.

especially once you get into PCI compliance, there is no way to do all this yourself.

things to perform generally are: - install grsecurity kernel - clamav - aide / rkhunter (IPS) - proper file perm/ownersips - JIT (just-in-time patching) - real-time malware - anti ddos via sysctl - disabling un-needed services

checkout atomicorp.com's ASL, it takes care of a lot of these things,

also aqueduct is also a good starting point, which is a set of bash/puppet scripts to perform these mundane tasks.

[specto]

If you need an easy to use and deploy HIDS, I highly recommend OSSEC, https://bitbucket.org/dcid/ossec-hids. Trend-micro funds and supports this software, so if you need support it is available. It will allow you to monitor any log file and actively perform certain actions such as blocking a bad ip address with default as well as custom rules.