I think things like firewalls, turn off services, etc...etc.. have been covered. I haven't seen these yet (but I didn't read everything in the threat).
- AIDE - Advanced Intrusion Detection Environment - http://sourceforge.net/projects/aide
- This works a lot like tripwire (but is GNU/GPL). Basically, it takes a snap shot of the files on the system (using SHA1, MD5, etc..etc). On any system that I'm "worried" about, I'll use AIDE to take a snapshot of the system and I _store that on CD_. This way, if the system every gets compromised, you can pull the machine offline and run AIDE against the CD and determine what has been changed. If you leave the AIDE DB on the machines, the attacker can simply "update" the DB. Anyways, useful for checking the integrity of the the system. I've used this utility on "real system" and "honeypots".
- Snort - http://www.snort.org
- This might be overkill. I run snort at a lot of sites. Even if it's overkill for your network, it's still sometimes interesting to see what it catches.
- PAX/GRSEC - extra security layers in the kernel. These are basically kernel patches that prevent (or try to) buffer overflows, heap overflows, various race conditions. They add several security features that the default kernel doesn't have.
- IBM Pro-Police - As a Gentoo user (No, I'm not a ricer) - I use the IBM Pro-Police GCC patches to build up most of my system(s). This adds things like "canary-on-the-stack" type protection amongst over things. Basically, again, It "helps" prevent things like buffer overflows, etc....
- Don't ignore syslog data. On critical sites, we have syslog stored locally and remotely. A typically attacker will attempt to "cover up" the intrusion by modifying the system logs (syslog) data. If the data is sorted off site (via syslog UDP over a VPN tunnel, or whatever), the attacker won't have access to those logs to "cover up". Sure, they can edit the local logs - but who cares.
- Speaking of syslog, utilities like "swatch" will allow for "real time" syslog monitoring. It seem to work pretty well, but I've always found it a bit "kludgy". I've been working on another project (code named "sagan") that's written in C. The idea is that it's "snort" for "syslog". The idea is that it uses the same rule set structure as "snort" and will even output to a Snort database (SQL). This enabled you to use tools that work with snort (oinkmaster, BASE/ACID, etc) to work with "sagan". Sagan can/will be able to output to ASCII flat files, Snort DB's, MySQL, Postgresql and various other formats. The rule sets allow you to "look" for events and be notified in "real time". I'll post here when I have the release version done.
Anyways, that's my 2 cents.