I wonder if it's worth on a server only allowing outbound traffic that's in response to inbound requests?
This would prevent any automated attacks from downloading root-kits, or exfiltrating data (assuming that they don't have root access - then they can just modify the firewall rules to allow what they want).

Something like this maybe?

# Assuming no pre-existing rules - don't just run this!
for PUBLIC in 22 80 443 # Your public ports
do
  iptables -A INPUT -p tcp --dport ${PUBLIC} -m conntrack --ctstate NEW -j ACCEPT
done
iptables -A INPUT -j REJECT

iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -P OUTPUT -j DROP