1. All unnecessary network services must be disabled
2. Necessary services must be under strict access control (tcpwrappers)
3. All relevant security patches must be applied regularly
4. Remote access must be permitted only through ssh or other encryption software
5. No accounts must be maintained for anybody who is not or no longer affiliated with the department
6. Disable root login via ssh.
7. Use long 12-24 character passphrases or use public key authentication.
8. Use a method to prevent brute force ssh attacks. Installing Fail2ban is one method.
Problems and suggestions: