I came across this article, which is worth a read if you want to know what to do when your Linux server is hacked:
http://security.linux.com/security/05/0 ... tml?tid=35

The article references two IDS tools, Tripwire and chkrootkit. I know for a fact that both exist in the Gentoo portage repository, and only chkrootkit of the two is available from the Debian APT repository.

Latest versions of both, as well as more detailed information about the two tools, can be found here:

http://www.chkrootkit.org/
http://www.tripwire.org/

Tripwire isn't in debian because it isn't free ( as in freedom. )
If you are using debian integrit does more or less the same thing.

Mounting noexec,ro where possible is also a simple but good idea.

sednet is correct, if one wants tripwire on Debian, you can add the non-free category and get tripwire.

Another useful approach is to use RIBS to back your Linode up to a local directory, and have it email its reports to you. Any file that gets modified will be picked up by rsync and listed in the report, and you will still have access to older versions.

_________________
Bus error (passengers dumped)

Erm, the tripwire package is in main but it's non-us not non-free since after all the package in debian *is* based off of the GPL sources

Package: tripwire
Priority: optional
Section: non-US
Installed-Size: 6564
<snip some stuff here>
Filename: pool/non-US/main/t/tripwire/tripwire_2.3.1.2-6.1_i386.deb

Overlord, thanks for the corrections. I didn't bother to check beyond seeing that it was apt-getable

it used to be in non-free untill teh tripwire ppl released a GPL version which replaced what was in debian so it was moved