Does anyone have any links or advice on securing down a box that is
going to host people's personal web space with a working cgi-bin for
each user. The higher up's want this, so there is no turning it off.

So far I am using proftpd with the mod_sql compiled in. This setups up
fake users that authenticate via mysql. When the user logs into the ftp
server for the first time, proftpd creates there user directory at the
location specified in the database under "homedir". This is chrooted so
the user can not get back any directories. If the user wants to execute
cgi scripts they need to make a cgi-bin directory in there homedir.
Apache is set to serve those user directories and to allow scripts in
homedirs/*/cgi-bin.

That part all works fine. I am just concerned about security.