02 OS Level Security

FreeBSD

Best practices:

Securelevels

Identify your most endangered ports

Firewalling (protect your most endagered assets first)

chflags (append only,  system immutable)

Mount options (noexec, nodev)

ssh restrictions (AllowGroups)

fail2ban (for ssh, but not only for ssh)

Enable, and run, portaudit

If you have the ressources or need a real trusted computing base:

Consider Security Labels / Mandatory access (why - was invented by / for people that had all the above in place and needed more. An explanation of MAC and RBAC should go here)