Security for "Free Home Page" Linux Web Service

Anonymous Coward writes "I have a couple of Web servers (running RedHat 5.0) which I'm using to offer free Web hosting on, and I've been giving the users standard accounts, the only exception being that their HOME directory is also set to their HTML directory. This means that telnet is active, as well as ftp, which I didn't consider a problem (that's how I learned, after all), but I was wrong. One of these boxes was hacked, by someone telnetting in and installing a sniffer. We've had to take the box down and scrub it clean, and before I bring it back online, I'd like to know the best way to give users relatively unfettered access to their own files via ftp, while disabling their ability to do anything else, on a box running any brand of Linux." I know we've touched on this aspect of security before in several Slashdot forums, but this question has been asked (and will be asked again) many times. I figure it may as well have its own forum for discussion.