Securing Debian Apache PHP server

I'd recommend getting a host based IDS configured and the signature database populated, removing any content supplied with Apache. Also overhawling the permissions model around logging so that you don't need to be root to read the files.

There's also several things you might want to do depending on what you do with the server - check the timeout and max post size for apache, set an open_basedir for PHP (along with the usual performance tweaks).