Here is my own good security practices list to make Linux system safe.
(2) Default firewall policy should be - close all door open required windows. Run iptables or ipf to block unwanted traffic, IPs, unused ports.
(4) Do not run any perl or other executable code on production system as root. Always test downloaded stuff locally and use md5 checksum for verification purpose.
(5) Take advantage of SELinux (Security-enhanced Linux) which enables mandatory access control mechanism. It is also recommended that you install anti-virus/anti-spam program on all mail server such as clamav (or you can purchase 3rd party AV/Anti Spam solution).
(6) Finally run all important services in chrooted jail environment.
Update (see comment below) - Other user suggestions
(7) Remove or disable unnecessary services you don't use.
(8) Conduct some (penetration) tests to ensure you didn't misconfig your setup.
(9) Remove all compilers and network scanning tools such as nmap from servers. Why make the attacker's job easier?
Remember you can make attackers life hard but you cannot make anything 100% secure. Continues monitoring and tight security policy will keep running the service for long time without any sort of intrusion :)