make SSHD only accept logins for certain users (AllowUsers <list...>)

disable TCP connections to X server (add serverargs="-nolisten tcp" to /usr/bin/startx and the x display manager config; e.g. for xdm, put /usr/bin/X -nolisten tcp as the command line in /etc/X11/xdm/Xservers)