Does anyone have any links or advice on securing down a box that is going to host people's personal web space with a working cgi-bin for each user. The higher up's want this, so there is no turning it off. So far I am using proftpd with the mod_sql compiled in. This setups up fake users that authenticate via mysql. When the user logs into the ftp server for the first time, proftpd creates there user directory at the location specified in the database under "homedir". This is chrooted so the user can not get back any directories. If the user wants to execute cgi scripts they need to make a cgi-bin directory in there homedir. Apache is set to serve those user directories and to allow scripts in homedirs/*/cgi-bin. That part all works fine. I am just concerned about security.