Concerning 2.4 Linux kernel releases and the notion of "official tested distribution", I don't think there's such a thing. Linux kernels do not submit to any QA process. Two of the seventeen 2.4 releases have been flagged as "don't use" -- i.e., showstoppers (the last being 2.4.15 which had a filesystem corruption bug). This might be an argument to switch to *BSD, but I'm not sure about that.
I am not saying that *bsd does not have its problems, but that is a very scary attitude to have about QA for mission critical parts of any OS.
Now I was not saying that Bob should change to *bsd, he needs to get back up asap. Debian might be worth a look though.
Now iff I take snort, swatch, ipfilter and a small amount of glue code I could, after I have turned everything unnessary off, add dynamic firewall rules to the mix. So if I see a web based attack I can turn off that ip at the firwall and protect what is behind it, even if it has been compromised. Also with statefull firewalls, that are configured correctly, if a trojan/worm gets intalled you still cannot get to it, in or out, because the firewall will not allow the connection.
