I would start ditching Ubuntu in favor of a more server-oriented distro, whatever will work better: debian, red hat,..
Second, on a machine that's supposed to be a web server, and that required high availability and a high degree of security, the worst enemy is the user himself, and much more if it's a desktop machine. You don't need a desktop in your server, it's just an extra source of instability and problems.
In any case, whatever your choice is in that regard, you should start by disabling all the services you don't need, overall those which open ports to the external world. Make sure that ssh is configured not to allow root login, and keep your site updated if you are using premade php applications or scripts like forums, shopping stuff or whatever.
You can also consider using GRsecurity or SELinux, I have no idea if Ubuntu supports either of these.
If you feel adventurous you can as well, compile your own apache and php packages, doing so you can choose to disable all the features that you are not going to use. Less parts of php and apache enabled means that you will have less things to worry about.
About the firewall, look into iptables, there's a lot to research about that, too much to be explained in a single post here. By defaults you should deny everything, at least from the outside, except the strictly needed ports.