This is a very basic list of procedures commonly used to lock down a linux web server, it is incomplete and very brief, when I have enough time I will lay it all out properly and add the missing pieces, hopefully though its of some use to you.

Harden SSH (I have a basic tutorial for this on my website, you will need to add an additional user to the server and add them to the wheel group to enable them to use the su command)

Edit the root bash profile so that it e-mails you every time somebody logs in as root (Not really hardening security but lets you know if you have been compromised)

Disable anonymous FTP (unless it is essential)

Disable telnet (if it isn’t already)
SSH into server and login as root.

vi /etc/xinetd.d/telnet

change disable = no to disable = yes

Save and Exit

/etc/init.d/xinetd restart

Edit /etc/motd  - Add a legal warning, as far as I know this has been used as an excuse to get hackers off of charges (in America admittedly, but wise to do anyway)

Disable shell access for accounts that will never be used.

Disable services that won’t be used, such as cups,ircd,vnc

Install APF (Advanced Policy Firewall) – http://www.rfxnetworks.com/apf.php - requires kernel iptables modules to be installed prior to install (These should be in most modern red hat kernels already) this is reasonably easy to install and well documented.

Install BFD (Brute Force Detection) for APF - http://www.rfxnetworks.com/bfd.php - this is one of the most useful security tools available, it sequentially checks the /var/log/secure log for failed logins, and automatically bans them in the firewall if they exceed the maximum amount of login failures.

Install RKHunter – http://www.rootkit.nl – another invaluable tool, this scans system binaries for known exploits and checks for root kits, again easy to install.

Securing Apache

Install mod_security for apache - http://www.modsecurity.org/ - a very useful tool for blocking known script exploits & filtering web requests, there are plenty of rule sets available for this that are very good.

Install mod_evasive - http://www.zdziarski.com/projects/mod_evasive/ - mod_evasive is an evasive manoeuvres module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack.

Securing PHP

Set the following parameters in the php.ini.

safe_mode = On
By enabling safe_mode parameter, PHP scripts are able to access files only when their owner is the owner of the PHP scripts. This is one of the most important security mechanisms built into the PHP. Effectively counteracts unauthorized attempts to access system files (e.g. /etc/paswd) and adds many restrictions that make unauthorized access more difficult.

safe_mode_gid = Off
When safe_mode is turned on and safe_mode_gid is turned off, PHP scripts are able to access files not only when UIDs are the same, but also when the group of the owner of the PHP script is the same as the group of the owner of the file.

open_basedir = directory[:...]
When the open_basedir parameter is enabled, PHP will be able to access only those files, which are placed in the specified directories (and subdirectories).

safe_mode_exec_dir = directory[:...]
When safe_mode is turned on, system(), exec() and other functions that execute system programs will refuse to start those programs, if they are not placed in the specified directory.

expose_php = Off
Turning off the "expose_php" parameter causes that PHP will not disclose information about itself in HTTP headers that are being sent to clients in responses to web requests.

register_globals = Off
When the register_globals parameter is turned on, all the EGPCS (Environment, GET, POST, Cookie and Server) variables are automatically registered as global variables. Because it can pose a serious security threat, it is strongly recommended to turn this parameter off (starting from the version 4.2.0, this parameter is turned off by default)

display_errors = Off
If the display_errors parameter is turned off, PHP errors and warnings are not being displayed. Because such warnings often reveal precious information like path names, SQL queries etc., it is strongly recommended to turn this parameter off on production servers.

log_errors = On
When log_errors is turned on, all the warnings and errors are logged into the file that is specified by the error_log parameter. If this file is not accessible, information about warnings and errors are logged by the Apache server. error_log = filename This parameter specifies the name of the file, which will be used to store information about warnings and errors (attention: this file must be writeable by the user or group apache)