Network Security
The host in which resides LeanXcale should only have opened the ports for connecting client applications with LeanXcale. The firewall of the host has to be exclusively opened to the IPs from the hosts where the client application(s) are running. It must not be opened to anyone in the Internet. In Ubuntu, you can set up and manage the firewall using a utility called ufw (Uncomplicated Firewall), which provides a straightforward command-line interface for configuring firewall rules.
In here you can find how to setup the ubuntu firewall: https://ubuntu.com/server/docs/security-firewall
Least Privilege Principle
Each role in your organization should get only the minimum privileges for performing his/her role, and no more. LXADMIN access should be limited to the administrators of the database. Create roles for each different activity on the database, such as developer, user, etc. Each person should have a different user. Strong password selection should be enforced.
Change Defaults
A good practice is to change the default ports, so the attacker has harder time to identify them. You can change the default ports in the configuration file. In particular, the network address used by LeanXcale to listen for client connections is 14420. You can change the port indicating in the configuration file which port you want to use for the query engine (lxque), for instance, port 3444:
host atlantis
lxqe
addr atlantis!3444
Use Encryption
Use encryption in the client-server communication activating TLS. It will prevent an attacker that gained access to your network from seeing the contents of the messages exchanged between your application and the database server.
You can enforce to always used encryption to communicate with LeanXcale setting the tls global property in the configuration file when installing:
tls host atlantis
Or it can be indicated as a parameter when installing with lxinst:
unix$ lxinst tls /usr/local/leanxcale
This will enforce to SQL console to use TLS in its connection.
Client applications should use the 'tls=yes' property in the driver connection string.
Activate storage encryption to prevent that an attacker getting access to the device physically or through the host to see the stored data. Also note you have to use encrypted backups.