=== My view on securing a debian/ubuntu machine: ===

 1. fail2ban

 2. ssh on non standard port

 3. iptables + ulog, troubleshootinginmyownballs aka fascist firewall

 4. no sudo on the system

 5. removing __ALL__ setuid programs

 6. remote backup of log, rsyslog