Hi there,
saimike. Just wondering how it's going with this. Have you been able to lay out some sort of plan of action yet? Hopefully you already started reading security material and are on your way to determining which tools, policies, and procedures are most suitable for you.
I was thinking about what you said about any pointers being appreciated. If there was only one piece of advice I could offer you, it would be to install and familiarize yourself with a
HIDS. Personally, I use
Tripwire (and I recommend it), but there's several other HIDS available, such as:
AIDE,
Samhain,
Osiris,
OSSEC,
Tiger,
Afick,
Integrit, etc. Each has it's pros and cons, and each will appeal to different tastes. Some have features others don't.
Having a properly installed HIDS is one of the simplest things you can do in order to avoid being in a situation where you don't know if your security has been compromised or not. It's also a perfect first step toward knowing *how* you were breached. Yet even so, you wouldn't believe the amount of cases seen here on LQ (and in the physical world also) where the admins don't know with a fair degree of certainty whether or not they are still in control of their boxes.
Install a HIDS before you plug your box into the network for the first time (after having done an installation from trusted media). Heck, install two HIDS if you want. Schedule cron jobs for them, have the results emailed to you periodically. Keep off-site backups of their databases in read-only media just in case. Once in a while run a scan from a Live CD, even if it seems redundant. It's all good. Information is power, and knowing what (if anything) has been changed on your system is one of the most essential pieces of information an admin concerned about security can have.