OK here are some of the things I've done:

First off for SUSE:

I update SUSE before it's even booted as it has this option and I love it. Before the box has bnooted up, all updates are installed EXCEPT for the Kernel. I always wait for that and it's a good idea to do so.

then I start my methods:

The firewall is on by default with SUSE, SSH is running but not allowed through, I generally sllow SSH though in case for some reason the machine starts freezing up, that way I can SSH in and kill off whatever might be making the box lag.

If I'm setting up an FTP server, I open the required ports, and load up the service, but I don't do this until I've configured it how I like it.

I have a copy of my configuration files for my server machines I store on my FTP server, and on CD so I don't have to sit and toy with it all day to make it how I want it.

I have one for PureFTPd and VSFTPd.

Also SUSE has X11 forwarding and listening off by default and has done this for a long time. Most distros still have X11 listening by default, SUSE doesn't.

when this has finished, you have a fairly good lock down. But don't forget:

SUSE comes with "Harden_SUSE" and "Bastille" and you can use either. Also SUSE has something soem distros leave out:

AntiVirus.

Even though Linux isn't really at risk, they work good. I've tested them ebfore and used them with real world scenarios where on a list you may get soemone who sends a virii to mailing lists, and ti always picks them up.

If I'm setting up a server where security is the word:

vim /dev/securetty

And comment everything but /dev/tty1

This only allows root to log in from the first console. It's another good idea.

I do similar stuff with Slackware and FreeBSD, except on FreeBSD I don't install updates. (I've been going back and forth with the security team for FreeBSD on a new em,thod so it doesn't take so long to install something as simple as a fix).

Instead I have two routers and a switch, which sit on front of all machines, and I either use virtual servers from the routers, or just pop one of the machine in then DMZ to allow people to connect.

These methods work well and keep the un locked machines safe and secure behind them.

I also want to point out, in YAST2 use the sysconfig editor to edit configuration files with YAST2 and it's a little easier than doing it in VI and you have a helper there if you need it.

I also shut down services I'm not using.

One thing I did as a test:

I installed SUSE and Slackware, did it minimum, and made them FTP servers. To date no one has broke in. They are stripped down to the bare bones, and whatever service is needed and nothing more, and updated.

Something I was hoping to see:

It's possible to take a UNIX based OS, and strip it down to nothing but the Kernel, and hack the service into the Kernel, and discard anything not related. It's DAMN hard to break into a machine that someone has done this to.