Set Apache2 and OpenSSH to generate random (non-default) primes for diffie-hellman key exchange.
Using default primes apparently makes it much easier for a motivated attacker to decrypt SSH and TLS traffic. https://freedom-to-tinker.com/2015/10/14/how-is-nsa-breaking-so-much-crypto/ https://security.stackexchange.com/questions/56214/what-are-the-openssl-standard-diffie-hellmann-parameters-primes