I have this habit of thinking of security in different ways. From remote access security, such as protecting yourself from attacks on open services, web server and ssh for example and then to protection against local exploits and vulnerabilities. Two things you need to approach in different manners.

For open services such as ssh I suggest reading the link Venam posted. It covers most of SSH, updates and more, there is just one thing you might want to decide really for yourself in there, su vs sudo. Both of them can be great if properly set up, personally I like su better due to the reason that I've always used it, but sudo provides a great alternative if you want to allow multiple (a team) to have access to the root administrator without giving them all the password to the root user. Thus; they would either setup their own sudo password or have the same as their user password. The latter is something I would not recommend as if the password is compromised in one way or another, the attacker has the root password also which is not good. But like I said, if properly setup they are equally as secure, but I don't see the reason using sudo if you are the only person that will have access to the root user.

Fail2Ban is also covered in that link and I surely suggest that you read more into fail2ban as it can do really many things and neat tool.

Now to the part it seems that no one has mentioned. If you want security locally too, I strongly suggest that you take a long look into Grsecurity and the PAX team ASLR. That will provide local security on many different levels from buffer overflow to unknown and not yet patched attacks to some extinct. PAX ASLR has been enabled since 2008 if I am not mistaken in all kernel versions so that at least is there however installing the kernel and protecting it with Grsecurity is a great addition too.

I just wanted to include this somewhere, you can, too, include a two factor authentication for SSH using Google's 2FA and the Arch Wiki covers how to implement it. Think about it this way; Stacking layers of security decreases the chances an attacker has to break into your system. With 2FA + Keys with strong passphrase + IP lock with the firewall or configuration, he has 3 hoops to bypass before it being possible to gain SSH access. That does no way mean that other services are secure and that you can't be rooted but it makes it hell of a lot harder but also a serious case of overkill in security of one service. But possible.