Don,
I'm mostly checking the HTTP access logs (and the FTP transfer logs) as they're the 'usual' path for door-rattlers to attempt access to the site. I put IP ranges in blocks in .htaccess for:
1) non-prime (i.e. not Google, Yahoo, Bing) search bots that just don't play nice and overload the server with too many requests. I consider this a 'denial of service' type attack so Baidu, Yandex and other SEO-type engines are blocked.
We do have a very few accesses that pretend to be Google, but don't come from Google servers..that is apparently a
ploy to get paid websites to cough up content without paying (some paid sites allow free access for legitimate search engines).
2) massive registration attempts, particularly from China, Russia, Ukraine, Viet Nam, and Brazil
3) any IP or username or email that appears in Stopforumspam.com is rejected -- no validation message is sent. Also approved user registrations if they haven't been email validated in 21 days.
4) 'interesting' URLs that are either 404-Not Found or have arguments that try remote site inclusion of scripts (doesn't work here), or raw server commands (like SQL injection, which also doesn't work).
For my own sites, I do not run any software that allows upload through the web (so no WordPress, no guestbook, no picture gallery etc.). And I limit my SQL to using Mike Challis' whos-online scripts. This keeps my 'attack-surface' available to the minimum.
By watching the logs daily, you get a sense (like SloWeather said) of what the usual looks like, and who/what is the most active (Google, Yahoo, Bing for our site). Then you can spot anomalies like lots of 404's (somebody probing for software that isn't there), multiple registration attempts in a short time (likely a spambot)
Last week, the top registration attempts were 368 180.110.162.222 Chinanet Jiangsu Province
342 80.80.202.132 MTS OJSC, Russia
330 114.222.71.101 Chinanet Jiangsu Province
321 208.105.116.114 Time Warner Cable Internet LLC
300 113.57.190.28 China Unicom HuBei Province Network
270 113.57.190.21 China Unicom HuBei Province Network
244 91.197.129.129 Operator of Virtual Data Computing LLC, Ukraine
192 113.57.190.23 China Unicom HuBei Province Network
182 178.23.129.34 Aspire Technology Solutions Ltd, United Kingdom
171 180.110.163.132 Chinanet Jiangsu Province
168 113.57.190.19 China Unicom HuBei Province Network
163 74.216.94.60 Allstream Corp., Canada
150 180.110.160.11 Chinanet Jiangsu Province
128 58.48.33.142 CHINANET Hubei province
114 109.111.6.35 MTS OJSC, Russia
The Time Warner one was actually someone's browser doing keepalive after doing a successful registration. The China/Russia ones are all spambots.
Best regards,
Ken