We use grsec on our shell servers, and have enabled the following features. There is a remote possibility that they may interfere with your applications; so we have documented which features we enable in order to avoid any surprises.
CONFIG_GRKERNSEC_IO=y - disables ioperm/iopl calls which could modify running kernel CONFIG_GRKERNSEC_BRUTE=y - prevents rapid respawning of apache and ssh daemons (when someone's bruteforcing) CONFIG_GRKERNSEC_EXECLOG=y - logs all execs CONFIG_GRKERNSEC_CHROOT_EXECLOG=y - logs execs in chroots CONFIG_GRKERNSEC_AUDIT_MOUNT=y - logs *un)mounts CONFIG_GRKERNSEC_SIGNAL=y - logs signals like sigsegv CONFIG_GRKERNSEC_FORKFAIL=y - logs failed forks CONFIG_GRKERNSEC_TIME=y - logs time changes CONFIG_GRKERNSEC_PROC_IPADDR=y - saves each process owner's IP address in /proc/PID/ipaddr CONFIG_GRKERNSEC_SHM=y - shared memory protections CONFIG_GRKERNSEC_TPE=y - ability to restrict certain users to only running trusted executables CONFIG_GRKERNSEC_RANDNET=y - larger entropy pool CONFIG_GRKERNSEC_SOCKET=y CONFIG_GRKERNSEC_SOCKET_ALL=y CONFIG_GRKERNSEC_SOCKET_CLIENT=y CONFIG_GRKERNSEC_SOCKET_SERVER=y - fine-grainer control who gets access to sockets CONFIG_GRKERNSEC_SYSCTL=y - allow runtime tuning of all options through sysctl