Default Deny for all incoming traffic
DNS-based filtering
iptables
Network segmentation
Install Fail2Ban
Block unnecessary outgoing ports