I recently spoke at the Drupal Melbourne July meetup about the open source intrusion detection system OSSEC, and how it can be used to give you more insight into attacks/strange/broken activity on your Drupal sites (as well as more generally across your infrastructure).
I recently got a few Yubikeys and have been implementing PAM, SSH integration and the like for two factor authentication across a range of infrastructure.
Having learnt the hard way over the years, I always make sure to implement a set of firewall rules not just inbound to my servers, but also outbound for traffic leaving them.
I really like OSSEC, the open-source intrusion detection system, and deploy it wherever I'm working. Not only is it great from a security point of view (detecting brute force attacks, crawlers, XSS injection attempts, bad permissions on files, modificatons to files, notification of installed/removed packages, presence of rootkits etc etc), but it's also really good at exposing the general state of things on your infrastructure that might otherwise go unnoticed (even if they're logged).
1. Add this line to /etc/apt/sources.list or create a new file called /etc/apt/sources.list.d/mig5.list
deb http://debian.mig5.net/debian/ wheezy main
2. My repo is signed with my GPG public key. To fetch the key:
I haven't got around to packaging OSSEC for Debian yet - mainly because I haven't decided how to handle the fact that OSSEC uses a server->agent model that depends on the generation/importing of unique keys for communication (not unlike Puppet with SSL certificates), from an automation/Puppet perspective.
Update: Aegir subfolder support is apparently now in Aegir 2.x proper. See the ticket
About 2 and a half years ago, a feature request was made for the Aegir project to support the creation/management of 'example.com/mysite1', 'example.com/mysite2' subdirectory Drupal sites.
The Debian package that I made for Kippo last year, was a few commits behind (though not by much!).
When recently firing up a fresh Kippo sensor, I realised there were some bugs in the postinst script on a fresh install - additionally, there were some other bugs when removing and re-installing Kippo.
These have been fixed, and the Kippo package is now in-line with revision r219 of the subversion repo maintained by desaster.
I had a situation whereby I had to protect a site with HTTP auth, but exclude a certain IP address or two from having to use HTTP auth (e.g loadtesting).
The problem was, the site was also behind a Varnish proxy. So I couldn't do 'Allow from (ip)' in the Apache settings, because the IP would always be the IP address of the Varnish server at this point.
And obviously, I couldn't 'Allow from (varnish ip)' because that's the same as not having any HTTP auth at all :)