So, how does that list look? I don't know if installing ALL of those is necessary or not... Samhain is one more thing I'll add to that list.
To be honest, I look it from more of a task perspective than a software collection. You've pretty much got three categories to worry about, prevention, detection and recovery. Obviously that is a gross oversimplification, but if you don't have all three of those covered, you'll be hurting if you get cracked.
I think recovery is probably the easiest to deal with. You need decent backups that work. My personal take is that virtual machines are a nice way to deal with this as well. Of course before you can recover you need to have an investigation plan so you're not just restoring a crackable machine. You should have the CERT checklist
bookmarked as well as the Security forum here. If you're willing to follow some procedures, there are some experienced investigators who like to tackle those problems.
Detection is kind of a pain, but you need to worry about it. I like tools like Aide or Samhain, but I've also seen some experienced people voice concerns that those sorts of tools are among the first things good crackers would look for. Monitoring log files will also help.
I don't take any issue with the list you've created although there is probably some redundancy. Just out of curiosity, you don't have SELinux as option, did you exclude that? I don't know if any of the distros your considering have SELinux enabled (I know RHEL does, so maybe Fedora does as well). I know SELinux can be a bear to get configured, but it might be worth considering if you haven't.
On a related note, trying to understand iptables is a royal pain in the ass. I've only glossed over it so far, but wow... I'm not sure I'd trust myself with making rule sets only to find out AFTER getting hacked that they didn't work @_@ manually editing looks to be a real pain, and firestarter/guarddog look to be able to handle some of it. Are firestarter/guarddog decent enough front-ends to work with iptables? Also, will those rules stick when switching to runlevel 3?
Actually, basic iptables is fairly straight-forward once you've done a little reading
. While tools like firestarter and guarddog are fine, I personally like writing rules by hand because then I understand how my firewall is doing what it does. However, that is very much a personal preference and if you're more comfortable starting with a tool, then certainly do so. The firewall should start in runlevel 3, but a quick check never hurts.
Basically, it looks like you're taking a decent approach. Redundancy is the key.