Periodically scan your own machines (from a host with complete access through the firewall) for open ports and compare output to that from a base established immediately after the installation. Notice any differences and ensure you know the reason for them:
A few weeks ago you port-scanned your machine as part of a security audit with the following results:
Port State Service
22/tcp open ssh
25/tcp open smtp
Today you get
Port State Service
22/tcp open ssh
25/tcp open smtp
2105/tcp open unknown
This is strong evidence that you've been hacked! One can use regular scans
of machines as an intrusion detection method.
Ideally one would want automated scans (easy, use cron) and a system for storing results of scans of many machines and for determining differences from previous scans. nmapsql is just such a system:
| ...previous | cont's... |