My view on securing a debian/ubuntu machine:
- fail2ban
- ssh on non standard port
- iptables + ulog, troubleshootinginmyownballs aka fascist firewall
- no sudo on the system
removing ALL setuid programs
- remote backup of log, rsyslog
removing ALL setuid programs