Don’t use CloudFlare or any CDN/AntiDDOS services because they decrypt all traffic that goes to and from your server. You don’t know what they do with it.
DNS queries sent by the server should be encrypted so that the ISP/data center cannot see them.
Use KVM instead of LXC. It’s so easy to automatically scan LXC processes on the fly
My privacy hardening tips are: