Facts: Original GNU/Linux Distributions is NOT as secure as it seems.
Baseline security
Use single GNU/Linux distribution as baseline system if possible.
Before you begin to harden GNU/Linux hosts, make sure all your Linux OS are up to date.
Setup a strong password policy, password complexity, password change rules, make sure different systems use different passwords, most import thing is separation of duties.
Setup a strong SSH configuration, maximum failed tries, no root login, enabled only newest SSH protocol if necessary.
Bond all SQL service to localhost if no remote access.
Enable Iptables.
Kernel security
Hardening Linux kernel and reconfiguration kernel modules for all critical hosts.
Enable one of MAC functions.
Hardening Linux kernel use Grsecurity if necessary.
Enable basic kernel options e.g. SYN cookies, rp_filter, icmp_echo_reply.
Service security
Enable all TCP port over TLS if possible(WEB service, SQL service), disable all unsecured algorithms used by TLS.
Delete all software package and libraries except the services.
Disable all TCP/UDP service except the services.
Vulnerability Scanning for all services, hardening all services.
Audit
Use host audit tools to verify all hardening process.
Use network vulnerability scanning tools to verify all services.
Audit your system monthly.
Make a security OS baseline, keep it up to date.