[ericd]

Logs are great for forensic investigation after one has been alerted to an exception, my question is more about expanding alert coverage to various other suspicious activity.

Do most people just make a strong password and trust that that keeps the baddies away?

I think one thing that would be interesting would be a utility that checks the checksums of files and contents of directories of various installed components against canonical versions stored elsewhere. Does this exist?

[mattwdelong]

Check out http://OSSEC.net, its a host based intrusion detection system. It does everything you described and more. I am slowly working on a better Web UI with real time alerts.

[ericd]

Wow, that looks great. Any idea how it compares to the other tools mentioned? (tripwire, portsentry, logwatch)

[Sanguinez]

There isn't one single solution to cover all angles. So yes, logs are useful but won't protect you either. And yes, they could help you to discover intrusion.

Regarding authentication, you could use public/private key auth for ssh. This is stronger than passwords. You could also use two factors authentication (look for yubikey for an example)

And yes, such a tool exist: for instance tripwire.

[ericd]

Good tip on the pub/priv key auth for ssh. Also on tripwire. Thanks!

Custom logs generated by your own app for things like login attempts, etc, are definitely useful for detecting issues. I was referring more to things like apache connection logs, and other logs generated by other programs - I would imagine that there's a huge range of things to look for.

[Sanguinez]

When I say logs, I mean all sort of logs (network, system, app...). So that include auth logs, apache logs and so on.