I have all my services behind a reverse proxy and use Crowdsec to monitor and block automated attacks. I also have pocket-id for auth, I use SSO for apps that support it and others just require authentication to access them at all. The docs are pretty solid, it was easy to set up.

Make sure you know the services running on your server, the most likely way you could get attacked is by just leaving some vulnerable or misconfigured software running and accessible.