There are two substantial features present in Ubuntu Server (and desktop, though less often used) that are significant, but under-utilized. The first of these is the AppArmor framework. For example, on my LAMP server, only dhclient3, mysqld, and tcpdump have apparmor profiles. OpenSSH and Apache are obvious candidates for AppArmor, as they are commonly exposed to public networks, and compromise of them could have a significant impact on a server. Edit: I missed some profiles here, but there is still no comprehensive profile for Apache or OpenSSH. Installing apparmor-profiles does improve things somewhat, but there is still much to be done.

The 2nd tool is UFW (the Uncomplicated Firewall), which my server has profiles for apache, dovecot, openssh, and postfix. While not everyone uses UFW, it's extremely straightforward to produce UFW profiles, so there's hardly any excuse for apps not including one.

I'm not completely certain how the UFW rulesets are included in a package. Once I've dissected this, I'll be producing UFW rulesets and filing bugs against packages to include them. I don't feel that I have enough AppArmor expertise to produce profiles that are of quality to be redistributed, so I can only encourage package maintainers to examine the benefits of AppArmor for their package.