My rough guide here:
1) I use centos 6, x86_64
2) 2G minimum
3) x2 disks, in a raid mirror. Partitioned as md0 (/boot, 512MB), sda2 / sdb2 (swap, x2 of ram, set at priority -1), md1 (/, all remaining space). Dont bother with /tmp, /var, /home, etc. They just cause problems later
4) Install plesk first, 11 is the latest, we use 9.5-11. This is personal preference
5) install ASL last (after all other stuff), boot into the ASL kernel, ensure you have the dazuko module installed
6) add the T-WAF to the plesk port
7) use mod_ruid2 (not completely supported in ASL yet, but use it anyway). Dont bother with fcgi, suphp, etc. These are all slower. Con's to mod_ruid2 if you are using cloudlinux I dont think its compatible with LVE.
Use incremental backup systems to a live (browsable) filesystem. We use rdiff-backup here. This is important because it lets you do compares & restores in realtime. Our backups are nightly. The backup server is both mirrored to a local filesystem, and mirrored to another offsite backup server in a different physical location.
(Optional)Conduct regular security assessments. My assessment platform is:
Fedora 17 (you could use centos 6, but fedora has more utilities)
1) install openvas, this is your *network* vulnerability scanner. We scan DAILY. Do not scan quarterly. Do not scan yearly. Do not be that guy.
2) install w3af and arachni, these are your *application* scanners. As in the web applications. Scan each application DAILY or WHENEVER YOU MAKE A CHANGE. Again, do not follow the PCI DSS standard here. Thats the low bar.