1) use ingress packet filtering (in linux, `man iptables`)
2) turn off all unnecessary services (check open ports with `netstat -na | grep -i listen`)
3) apply vendor patches.
4) monitor vendor security lists and apply recommended patches.

-C