Is this for internal facing servers? Not much more than CIS and the usual Best Practices (no root for SSH, etc)

For a DMZ node, minimal software (ie Arch) and automated defenses like fail2ban, key authentication, etc…

Firewalls with Geo-IP blocking also help, but that’s not technically what you’re asking for.