Ok, my recommendations:

1. DO NOT under any circumstances, install any honeypot software anywhere near a production machine. Honeypots are for fun and catching attackers; they need to be installed with great care and in a very sterile carefully prepared environment. And nowhere near a production machine. Remember that not all honeypot software is free from vulnerabilities itself.

2. Don't rename root. It is pointless and may break stuff. For starters, renaming root instantly breaks most of "inetd" services. DO disallow non-local root logins via sshd, FTP etc.

I think that limiting your usage of the root account is mainly for safety rather than security. If someone compromises your user account, they only need to trojan "su" (which can be done with shell script), and they have root too.

IDS are nontrivial to maintain, and use up a lot of system resource (as well as the administrator's time). If you don't have time to spare to take care of your IDS properly, don't install one as it will be counter productive. If after two weeks you have 10Gb of logs, you aren't going to bother sifting through them to find the 10 lines caused by attackers in the 100million caused by worms.

Obviously if you start having IDS on a production system, it can also use up CPU time and fill your disc with logs.

IMHO, the jury is out of Unix AV software - if your preferred vendor has a sufficiently mature package - by all means go for it.

Unix AV software is still in its infancy, and while most vendors provide an on-demand version of their AV for Unix, few do on-access (due to the difficult of interfacing with the range of Unix kernels). Also bear in mind the performance hit caused by on-access virus scanning, this is pretty severe on some Windows versions.

Not all servers need AV software either. If they aren't handling windows files on a regular basis, there is no real possibility of getting viruses, therefore it's unnecessary. For example, with a database server you could find that the overhead of an on-access virus scanner decreases performance a lot - and even if the database contains win32-based files - would the AV even find them buried inside the DB?

Slarty