- keep software/packages up to date

- only use public-key authentication for ssh / disable password-based auth

- optionally change the ssh port (it just avoids the worst of the port scanning / brute force attempts)

- limit the number of services running on your relays (ideally only run Tor and supporting services (i.e., maybe dns)

- firewall off (deny) everything except DirPort/ORPort/ssh