Get your firewall right then maybe add fail2ban.

You could also consider IDs/IPs on your primary router/firewall if this is internal. If not you can install surricata on a public server. Obviously if you go with something as powerful as surricata you no longer need fail2ban.

Keep a sharp eye on any users with sudo. Beyond that consider docker as others have mentioned.

It does add to security because it allows the developers a bit more control of what packages are utilized for their applications. It creates a more predictable environment.