A good start would be Chirpy's ConfigServer Firewall (CSF). It has a feature to do a "suggestive security scan". Run it. Make all the red go away.
There are a few real good mod_security rules here on the forum... utilize them to the best of your ability as a system administrator.
Disable all the crap scripts that will cause headaches. You know the ones... mambo, phpBB... the stuff that is exploited more often than it's updated.
Secure /tmp. I don't mean a quickie hack of it. Really secure it. This is a 50/50 defense. Users can still run scripts from /tmp by calling the file as a full path (/tmp/script.pl), but a lot of kiddies have not yet figured this out.
No Shell Access. Can I say that often enough? Probably not. NO SHELL ACCESS. Opening SSH to your users is just one more doorway for someone else to wander in. if they *really* need it, make sure it's running on some obscure port, and that the users login is secure... no 4 letter passwords. Make the person work for access.
Harden your php. phpSuExec. use the disable_functions option. You'll find that certain sites and services suggest different things to disable, but I have found "dl,exec,system,passthru,shell_exec" to be a happy for me personally.
A good idea is just to cruise Chirpy's site, and see what he has to offer. You'll find all sorts of fun toys there that will make your job a little easier.
