Mod_security is great. I recommend checking out Atomic Secured Linux, which is a product comprising a hardened Linux kernel with trusted path execution, PaX and grsecurity, ClamAV, mod_security, mod_evasive, OSSEC, rkhunter, SSH hardening and comes with continuously updated custom rulesets for its components. It can do geoblocking, active response based on security events and comes with a web interface for management. No, I don't work for them, I'm just a happy customer. https://www.atomicorp.com/products.html Now, of course, having good system-level security doesn't mean it's not important to keep security in mind when building a web application, but the additional layers of security definitely help.
I setup an LTSP setup a year ago and it is brilliant. We got one powerful machine (quadcore CPU, 4 GB RAM, etc.) and plug all the old machines we can get into a gigabyte switch connected to this server. Just plug it in, make it boot from the network and you got another (fast) machine to work on. I used K12LTSP 5EL (based on CentOS 5) and it just works out of the box. http://k12ltsp.org/