I have a FW provided by my provider, but I am not enforcing it too much.

For SSH access, I have fail2ban + access only via certificates. For the rest, I have disabled web access and APIs as I don't need them.

I also keep an eye on logs, but there is not too much there, besides some bots scanning for open relays