Keeping the server daemons and OS tcp/ip stack patched cannot be stressed enough, the most effective DOS attacks are those which cause much system resource to be consumed for little traffic (such as a buffer overflow crashing an apache process, the request is small but the recovery uses resource, If I can send 100 requests a second to a vulnerable box then it has to spawn 100 processes a second and still serve other clients, this scales rather badly).

There are two other things you can do:

1.) Look at your gateway routers and be certain these too are patched. You may like to look at some of the advanced traffic queueing options which may be there.

2.) A proactive monitoring system so you can detect abnomally high loads on a machine,strange traffic patterns in your network , alalyse events and then block the source IP addresses as far out as possible (preferably at your ISP, otherwise he who has the greated bandwidth will win).