I don't have any specific pam exploits because as Sean pointed out there are a few.
Rule one in security, don't trust anyone,anything and certainly not any program.
This brings me to firewall, IPchains/tables is a good start. I don't think that firewalls are really necessary for a single web server. Shut everything off you don't need and then grant access as needed.
Set up an alternate userid 0 and always use that as your login instead of root. That way if you get a log message saying someone logged in as root....
Security is a topic much to broad to discuss in a meaningful way here, but feel free to post questions.
BTW , Linux also has access levels and immutable bits, and lots of other stuff such as random PIDS, random icmp sequences and etc. You just have to know where to get the patches.
BSD's are fine, but so is Linux.
