I'd say the normal server hardening precautions apply. Off the top of my head:
- keep software/packages up to date
- only use public-key authentication for ssh / disable password-based auth
- optionally change the ssh port (it just avoids the worst of the port scanning / brute force attempts)
- limit the number of services running on your relays (ideally only run Tor and supporting services (i.e., maybe dns)
- firewall off (deny) everything except DirPort/ORPort/ssh