Strongly depends on server roles.
Specific combat:
rkhunter
iptables
no open ports other than HTTP(s)/SSH
SSH only from allowed IPs (whitelist)
My role is: PHP platform for my own public project.

Regular updates, ssh from trusted IP addresses, key-based authorization and complex passwords.

What I saw in several offices
is a separate vlan and a separate subnet with a separate internal router, where ssh / telnet servers, switches, routers, iLO, DRAC, IPMI look and where only IP addresses of system administrators are allowed, the monitoring and statistics virtualka lives there.
dot1x - you can connect to any port of any switch, the port will be configured automatically by login / password - otherwise a separate vlan, subnet, dns, web server with a forward of everything to the page “Who are you?” and administrator notice.
separate vlan and subnets for workstations/printers, servers, DMZ.
internal networks from workstations and servers are allowed only to strictly defined addresses - domain controllers, ftp, dns, proxies, etc. by an internal router.
and purely on servers - virtual machines, backups, snapshots, complex passwords, root login in ubunts is already blocked, only those services that really need to look outside look out, the rest is NAT. regular updating of servers and services, using only official software sources - either the distribution repositories or the official website of the program.
this is just what i can check as admin

Everything but nginx and sshd is listening on 127.0.0.1. root can't even log in locally. Each application has its own set of users. Remote login with keys only.

A well-tuned and periodically updated Hardened Gentoo .

rkhunter and, in addition, runs chkrootkit
ssh only on certificates, although I almost always leave the entrance as root. However, I ssh from the outside world via iptables knock.
In some places I use tripwire for integrity control.
fail2ban is running. Constantly stops Asterisk's bruteforce)

iptables is the main defense. Also, ssh has a list of logins that are allowed to enter.

I have a server with virtual machines that I need remote access to. there is also a database and a web server. I forward all necessary connections to all services via SSH tunneling. Those. only SSH on a non-standard port “shines” into the Internet. The server itself is connected via a router to the Internet. On the router, ban the Internet to the necessary virtual machines (completely or on certain ports) by MAC address