Change the Default SSH Port maybe to something like 27765 which is difficult to guess

Disable Root Login

Using SSH Keys(Public Key) instead of SSH Passwords to prevent sniffing attacks by sniffing network packet sniffing

Enable Firewall and Set Incoming Port(80/443/SSH) and Possible in Use Outgoing port traffic only.

Use SFTP only

Install Antivirus Clam AV and set it to update with cron

Install a Malware Scanner to run with cron on daily basis

Disable IP V6

Disable DNS recursion

Enable brute forcing prevention through Fail2ban

Some services can also be installed over a Docker Container in case like Database Systems can run on a Container

Use rkhunter which is a well known tool for checking vulnerabilities, rootkits, back doors, and possible local exploits on a server

If possible use a VPN via Open VPN