+1 to grsecurity patch, this website has good tips http://hardenubuntu.com/
Trisquel also comes with lots of default apparmor profiles you can enforce.
use a file integrity program like tripwire or AIDE, to check when files have
been changed. Use a program like logwatch to check some important logs. Set
up mail to email all these reports to root. I use Dragonfly mail agent so
nothing listens on ports.
https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps
disable services especially those you don't need. Disable all services
listening on ports especially. as root type lsof -i. disable them all.
use a static connection not dhcp.
Use some tools to monitor your network in real time. I like etherape cause
its graphical. there is also iftop, iptraf-ng, nethogs, ntop. Netatop is
actually great plugin for atop, because it will even show shortlived
processes, but you need to compile kernel for it.
But I hate to break it to you, Real security experts will tell you its not
about stopping them from getting in anymore, Its about how fast you can
detect the intrusion and minimize the damage. Even the head of IAD for he
NSA will tell you the same thing. Assume you are already hacked. The main
thing is checking your logs, and trying to figure out what and when.
Because if you are very active on your pc, it really doesn't matter who you
are you can't stop it. But what you can do is limit it.