My view on securing a debian/ubuntu machine:

1. fail2ban
2. ssh on non standard port
3. iptables + ulog, troubleshootinginmyownballs aka fascist firewall
4. no sudo on the system

5. removing ALL setuid programs

6. remote backup of log, rsyslog