LinuxQuestions.org - Security advice for a web server please

I am going to run the following services on a server connected to the internet semi-permanently
- firewall
- router (to internal lan)
Don't run all services on one box. At least have a separate firewall(/router). Harden the box before installing services. For more please check out the LQ FAQ: Security references, especially the hardening part. Make sure you disable all services "fancy" features until you know you really need them. Use access controls. Running services from Xinetd get's you some, plus connection limiting and such. Services like OpenSSH have their own access controls utilising TCP wrappers. If services are for LAN use, make sure account and host access rules match. If it's a server don't install (or remove after compiling) development packages, graphical environment, most distro helper apps. Don't trust (LAN) users. Don't use system auth (/etc/passwd,groups) for service accounts. Most services can use external databases. If they're PAM-ified it's easy to set up. If you're using encrypted passwords/hashes, don't use weak variations (like LANMAN hashes for Samba).

- http/php server
Make sure you need to serve public stuff. Don't allow people to upload and execute arbitrary (parsed) executables. If you can get away with running PHP in safe mode, do so.

- ftp server
I run either Muddleftpd (slightly modified in the logging department and it won't run SITE commands) or Vsftpd. Both can use external means of authentication. Don't use your system auth files for users who need FTP-only access. Better yet, ditch FTP and use OpenSSH to SCP/SFTP.

- mail server
If for public use choose a daemon whose name doesnt being with "Send" and ends with "mail". Disable relaying. Make sure to disable querying for addresses (VRFY and such).

- smb server (for internal lan)
See top.

- ssh terminal (for remote login)
SSH is OK provided you ditch root logins, use key auth, use compression by default and don't get your remote keys compromised (strokes logged).