With respect to system hardening and auditing your distributions documentation (or "Securing Debian", together with the nfo at the SANS Reading Room, OWASP and the CISecurity.org profiles) should provide the first steps. Establish a local and remote baseline scan (GNU/Tiger, OpenVAS) first, then read those docs, implement measures and scan again.
Originally Posted by markotitel
Hi, I am publishing web site which will hold credit card info and some private data in future.
As frankbell already suggested through that link of his PCI-DSS requirements should then be your first stop (and there really is only one source for that: https://www.pcisecuritystandards.org...ity_standards/
) but there's graduations so please be specific: are you facilitating or processing credit card payments
or not? What HW, network and SW setup (wrt the latter: what software are you exposing) do you have in mind for what you are about to do?