Linux hardening: minimal installation, strong SSH config (key-only, no root), SELinux/AppArmor (mandatory access control), regular patching, host firewall (iptables/nftables), audit daemon, CIS benchmark compliance.
SELinux = NSA-developed, label-based MAC for Linux. AppArmor = profile-based MAC, simpler to configure. Both confine processes even if exploited. Enable SELinux in enforcing mode — most Linux systems have it in permissive mode by default.