While it is common knowledge that the vast majority of compromised computer systems in the world run windows, this article discussing details of an anti-phishing investigation done by eBay shed interesting light on the importance of compromised Linux machines.

What eBay discovered was that a large portion of the web servers running phishing sites turned out to be compromised Linux servers and desktops whose operators had no idea they had been compromised. Interestingly enough, they credited the use of Linux by the phishers to the platforms stability as a server (Well, thanks…I guess?).

It does serve as a reminder, however, that the bad guys are out to get you (and anyone else) and that your platform choice alone is not a replacement for basic good security practice and diligence. If you’re a SysAdmin who believes that your servers (particularly anything public facing) aren’t under constant attack and probing, then you simply aren’t watching closely enough.

Just a few common sense tips that everyone should be doing:

• Stay patched. This should be a no brainer with Linux these days. All of the major distros push out critical updates to packages from their repositories. The enterprise distros in particular, like RedHat (and consequently CentOS), are extremely quick with security related patches.
• Use a firewall, preferably two. iptables is a good start, but it’s hard to beat a good network device to separate you from the baddies. Think of it as layers of protection.
• Be greedy with your firewall rules. Only allow access when you know it is necessary. If your default rule is ‘allow’, then you’re in for a world of hurt trying to keep up with the bad guys.
• Use real passwords, always. Any level of access to a system or webapp can be the foothold needed by an attacker to escalate privileges. Make sure your passwords are complex and varied.
• Don’t forget about the application layer. Even if your kernel and all apps are patched and you’ve closed every configuration hole in apache on your web server, a default or weak password on a web CMS can be all an attacker needs to turn you into a phishing server.

Additionally reading:

http://www.puschitz.com/SecuringLinux.shtm - This guy has great Oracle on Linux documentation as well as this really useful guide.