I know there are many helpful threads regarding security here and elsewhere. I've carefully read many. It is all a bit much, so I'm looking for the next best move for a server that will have shared hosting. Here is what I've done so far...

Made all updates
Installed MySQL - changed default pass, removed anon users
PHP - safe mode = On
Pop before SMTP
Hosting domain different from admin domain (admin email sent to different acct)
Self signed certificate for admin domain
Telnet disabled, ssh installed (protocol 2 only, no root login)
IPchains installed and configured


What is the next best move? I was thinking logcheck. Is it called logsentry now?

What else might be the next best move? (Or move after that for that matter.)

I like the way your post was very minimal. I'll try to keep mine the same.

If you are more of a newbie than me and you are reading this post, then may your god look over you! Maybe extreme newbie questions should be asked in the main RAQ forum, instead of in this thread. And please search the archives - most of the things I have done I have found out about through the archives. I will scan the main RAQ forum today for questions about what I have put here (like "how do I change my httpd.conf file?")

Here are the things I have done so far (in addition to CallMeJ):

ProFTPD
#disable banner on connect (wait for login)
in /etc/proftpd_conf:

Servername "myserverFTP"
in virtualhost directive
DisplayLogin .ftphelp

also in the global directive:
### - turning off banner until user successfuly logs in0
DeferWelcome on
ServerIdent Off
DefaultServer on

FTP: If I could do it again, I would move FTP to a higher port. I basically have to walk my clients though setting up FTP anyway, so it wouldn't increase my support costs. Every day, at least one person connects to my FTP server, but does not login. Perhaps they are looking for a vulnerable version of WU-FTP? Perhaps and available Anonymous FTP server? I'd rather move the doorknob so they cannot rattle it.

Apache-add an extra.conf file for custom additions. In httpd.conf, add:
Include /etc/httpd/conf/extra.conf

removing Indexes
in extra.conf:
Options -Indexes
#if need symlinks:
Options SymLinksIfOwnerMatch
remove banner. in extra.conf:
ServerTokens ProductOnly

ssh
removing v1 fallback compatibility
putting port on xx22
(so it doesn't even show up when someone scans the IP block)

imap
shut it down, I found directions to make the GUI's warning light ignore imap.


sendmail
make sure pop before relay patch is enabled: test for open relays
http://www.abuse.net/relay.html

AT YOUR OWN RISK:
I saw these items mentioned in Hacking Linux Exposed:

1. Add privacy flags for sendmail (authwarnings,novrfy,noexpn):

/etc/mail/sendmail.cf,line 261:
# privacy flags
O PrivacyOptions=goaway,authwarnings,novrfy,noexpn
#(previously only had goaway)

2. Remove the sendmail banner:
(commenting out the old line, replacing the $v/$Z)
/etc/mail/sendmail.cf,line 393:
#O SmtpGreetingMessage=$?{if_name}${if_name}$|$j$. Sendmail $v/$Z; $b
O SmtpGreetingMessage=$?{if_name}${if_name}$|$j$. MyMailServer mail -SMTP spoken here $b

intrusion detection:
install snort and logcheck

good backups- beyond the .raq files