How to properly secure Unicorn/RoR server on ubuntu? Or, harden RoR application stack?

view story

http://serverfault.com – I have few Unicorn servers running on Ubuntu 12.04 and I am looking to secure them against exploits which give remote shell. My main concern is, if it makes sense to deploy ModSecurity? Another thing is, that I have seen Unicorn typically runs from port 8080, and it's forwarded to Apache/NginX server port 80 which serves as reverse-proxy. I was thinking that I could employ the following: ModSecurity on Apache Apache as worker (threaded) with mod_qos, to prevent excessive no of requests from any host Run unicorn server from designated user and isolate it thru AppArmor or SELinux if it's Re (HowTos)