Not professional sysadmin. I run my homelab and handles a few servers at work. I don't use IDS. So may be irrelevant.
WAF to stop HTTP parameter pollution and request smuggling
Fail2ban on SSH and move ssh away from port 22
Setup LAN recursive resolver and disallowed outbound raw DNS
For me, a lot more emphasis is on defending the application
Setup systemd unit hardening
Use Landlock LSM to whitelist directories (modifying source needed). Stops directory traversal and command execution
TLS or stunnel between application and database
Point DNS to local resolver
LD_PRELOAD hardened allocator
I'm currently looking into the Linux port of pledge to further reduce post exploit attack surface. But the project is not mature enough for production, yet.