I have almost no experience with MAC, but do have a little experience with securing public servers.
SElinix is probably the most widely deployed MAC framework for Linux, with AppArmor a close second. If you really want to enable some sort of MAC, I'd probably go with whichever one of those two is better supported on your distro.
That said, MAC is probably overkill in your case. My approach to securing a server like yours would be to do the following:
- Configure your firewall to allow incoming connections only on ports associated with services you want to be visible from the Internet. This includes firewalling the MySQL port (I am assuming that MySQL is only being accessed by other services running on the same host). Don't allow Samba access from the Internet either.
- Disable remote SSH access for the root account, and any user accounts which do not need the ability to log in remotely. Remote CLI admin tasks can still be performed by establishing a SSH session as a non-root user, then using su or sudo to run administrative commands.
- Make sure all accounts with remote SSH login capability have strong passwords. Alternatively, you could allow logins only via RSA key pairs, and protect the private key at the remote end with a strong passphrase. (Which approach you use depends on how much you trust your users to always use a strong passphrase to protect their private keys. The Fedora Project security breach last fall resulted from a Fedora employee who had an unprotected private key file.)
- Do not expose any remote desktop services (VNC, XDMCP, etc.) directly to the Internet, even if they are password protected. If remote desktop access is desired, firewall the port associated with the service and establish a SSH port forward to access the remote desktop service when needed.
The years just pass like trains. I wave, but they don't slow down.
-- Steven Wilson