Steven,
In a production environment what is the recommend security settings with performance in mind and only services that I will be providing is http, https, ssh2 - scp, smtp. (i.e. secure , but with as little overhead) Kernel 2.4.x and using iptables , postfix, stronghold apache.
Q.1 What services can hosts.deny & hosts.allow secure? (mainly in regards to the services that I'm using above)
As Kurt already pointed out, those files are checked by tcpd (the TCP Wrappers daemon). SuSE's OpenSSH hast support for it, as well as inetd, but you won't want to use the latter, probably. I don't know if Apache or Postfix do, but a little experimentation ought to tell you. Now the word 'secure' is a little strong, though. The two files *affect* some services, they give some degree of access control. Whether that means securing them depends on your security posture.
Q.2 Should I use stateful connection tracking on all ports or only the ssh,smtp and https ports? What is the stateful connection overhead like.
Your own call to make. The overhead of statefulness shouldn't be too great and seeing the small number of connection types you want to allow, I'd probably write specific rules. For more detailed info, check http://www.samba.org/netfilter (URL unverified) or the (gasp) source code.
Q3. What ICMP should you block and what must you answer directly or indirectly, so that you don't break other services or slow them down.
Well, you'd better decide about the utility ICMP types yourself, though I try to be as restrictive as possible. You may want to allow the following inbound: * destination-unreachable * source-quench * time-exceeded * parameter-problem You probably want to drop the following: * redirect * router-advertisement * router-solicitation * timestamp-request * address-mask-request
Q4. What is recommend minimum ports and protocol that I must log, so that I can audit attacks , problems and keep logging overhead to a minimum. Given that our ISP environment has a lot of broadcast traffic. e.g.
Depends on how much work you're looking for. I often start with full logging, then adapting my rules to filter out the 'usual noise'.
Q5. What DOS of protection options are there with iptables and how do you workout the rate to limit @. I have syncookie protection enabled.
Well, the most effective DoS countermeasure in iptables ought to be rate limiting. See the HOWTOs. As for rate calculation, you have to do that for your server specifically.
Q6. Is it still recommend to Reject mail server connections to port 113. Is the following setting correct: iptables -A INPUT -i eth1 -p tcp --dport 113 -j REJECT --reject-with tcp-reset
If you talk to mail servers running identd and issuing auth requests, without running the service yourself, yes. Cheers Tobias