Rebuilding after rootkit invasion - need advice
As a few members here know, I recently got blind-sided by what I'm almost certain was a rootkit. I've been limping along for the last week or so with a reinstall that I'm not even sure is clean. I've got a new drive sitting in wraps on my desk, and I should have a trustworthy copy of Fedora 9 in my hands by Friday. What I'd like to know is: What is the best way to reduce the chances of this happening again?
I'm all ears at this point. I know I've got a lot to learn about security. How good is the firewall app that comes with Fedora 9 (KDE 4.0.3)? Should I use it in beginner mode, or woodshed and learn the expert mode? What other measures should I take? I've been studying SELinux. Since rootkits and lax security policies seem to be the greatest threat for a novice like me, what else should I consider? I will eagerly devour any info you might send my way.
-Learning the hard way-
EDIT: I've now got what I'm reasonably confident is a clean install of FC9 on the old drive. I want to get familiar before breaking the seal on the new stuff. One of the problems I've faced is that I couldn't be confident in any of the software I had on hand, since I don't know what might have picked up malicious code during the burn process. So.... I've tossed everything. I pulled & burned this copy of FC9 from a clean machine. When installing FC9 I activated drive encryption, set up the firewall using beginner mode, and activated SELinux using the defaults. I'd like to use flash player, but I know just enough about the risk to be totally paranoid. I'm not one to visit obviously risky sites, but now I look at every site -even this one- with a skeptical eye. I've been to the OReilly site looking for some decent books on Fedora, iptables, and security. I've also spent a little time at the NSA security site, If anyone has any words of wisdom, you have my attention. Thanks.