The fewer moving parts you run, the fewer things you have to harden and monitor.
systemctl --type=service --state=running
systemctl --failed
Check what is listening on the network:
sudo ss -tulpn
Stop and disable a service:
sudo systemctl disable --now <service>
Mask it if you want to prevent accidental starts:
sudo systemctl mask <service>
sudo apt autoremove --purge
sudo apt clean
List manually installed packages (review for removals):
apt-mark showmanual | sort