Hello all,

I've been pondering security for a web server + database server
recently, in order to make it as secure as possible.

The obvious things for me were:

-database server accessible only from web server via local network
-apache chrooted
-tried-and-tested versions of apache and cgi software (no new exploits
appearing)
-ipfilter block all default, allow in www with keep state
-securing cgi for code injection etc. (probably biggest area of
potential weakness)

Is there anything else you could do? Password rotation? What would you
do if you had to run, say, a security-critical (eg. a bank or paypal)
system? Would you use netbsd? Why not (if so)?

Sorry if this is the wrong group - I'm thinking about netbsd for this
as for me it's stripped down service wise to a minimum as it is.

Amadeus