Debian Lenny as base system is pretty secure but you can always make it more secure.
Start with by disabling services that you don't need. Install rcconf and disable the services that you don't need. Reboot the os.
Mount /tmp with noexec to keep away script kiddies.
Install mod_security2 to filter out most common webjunk. Install mod_evasive to ease ddos attacks.
Tweak you apache2 settings by changing following settings:
Tweak your php:
expose_php = Off
display_errors = Off
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, escapeshellarg, escapeshellcmd, proc_open
Open basedir is set by ispconfig.
Install policy firewall and tweak the settings. There is bastille firewall in Ispconfig that you can use.
There is much more but this is the basic web stuff. You can always read: