jexx - 9:07 pm on Nov 28, 2006 (gmt 0)

If you have a router with more advanced capabilities, one-to-one (when dedicated IPs are used) NATs for only specific ports (80 and 443 for me) are a good way to reduce load on the stateful packet filtering firewall. I also find this practice simplifies my infrastructure (I am able to configure all web servers with internal IPs and just change the mapping on the router if I decide to switch providers).

Specific to Apache, I use mod_security and mod_dosevasive to provide additional protection.
mod_security allow you to filter out specific behaviors while mod_dosevasive provides (some at least) protection against single sourced denial-of-service attacks.