Securing a linux box for online shopping TIA 746

Roadster3043 Risk 1: work as root by default. Definite nono, still seems to be a regular problem for many. If you have to switch to root mode too often to your liking, setup & use sudo properly. Limits the things you can (inadvertedly) do to your box.

Firewall is helpful. Any Linux distro comes with at least one. I like iptables myself, but suit your needs and preferences. Check sites dealing with firewall setup and learn. There's a LOT of possibilities. If you define your own firewall rules, a first: start with deny all from all and then specifically allow certain things to pbutt.

Place risky stuff (i.e. servers, vague apps that do a lot of multi-connection stuff (p2p etc, DISTrust stuff from unknown sources.) in a chrooted environment to reduce damage in case you do get unfriendly visitors. Or move them to a separate box, and while you're at it, build a dedicated firewall (386 will do) and setup a DMZ to hold your server-stuff.

If you setup a server (e.g. Apache), read security-related documentation that comes with the package AND search online for good stuff. Apache should best be setup advertising the least possible. Having every error page tell your 'hackers' what OS, major, minor, release you use is not smart at all. If you implement stuff like PHP, make sure obvious information walhalla's like phpinfo() are not allowed. Use MYSQL ? Use pipes, only local connections, disable tc-pip conections to the databaseserver.

If you have no need for sendmail, qmail or whatever, get rid of it.

Disallow any remote logins, even SSH, if you have no need for them.

Keep your machine tidy, always check MD5-SHA1 sums before installing, in case of impossibility, seriously consider NOT using it, or at least build from source and if you're any savvy in coding, check sources as last resort.

If you use a regular distro, regularly update, check for patches-fixes.

Disable everything in your browser you don't need. Switch to paranoid mode. I am very happy with the noscript plugin I found for FireFox couple of days ago. Allows per-page-per-visit control over javascript and flash.

If you really are worrying about security, also consider a good implementation of tripwire or similar, and have a rootkit-checker handy. I'm no expert on these, and I remember getting tripwire to work properly was quite a challenge, but it does give me additional means to check my box for hacks. I once had a webserver rootkitted, and that time I was almost completely in the dark. I rescued data and then zapped everything else on it. No fun...

As said by others, virusscanners (Clamav is popular-widely acclaimed) are nice, but do more for windows clients on your network than for Linux itself. Which is a good thing.

Stuff like tripwire is only useful when regular checks are executed. Same for nmap and the like. Google for those and read read read, then implement the package of choice. Or ask someone savvy to help you out.

Real security-gurus (some call them paranoids) even go as far as building their own kernel with minimally required support for all they use, some even customize several of the sources before building their kernel.

One could go on and on and on, let google be your friend and don't let all this crap demotivate you. After all, using Linux instead of Win-IE is a MAJOR increase in security. Don't get paranoid. Know your stuff and balance practical with secure.

Good luck, safe and happy banking! Sh.