For system-wide server protection, I recommend installing csf . By the way, there is also a small built-in set of "tests" (20-30 pieces) with recommendations for making changes to the server settings to enhance security.
I also recommend installing tiger , it conducts a (one-time and regular) audit of the server and reveals various "bad things" (as an example, the presence of users with UID=0, except for root, and many, many other checks and recommendations), and keep rkhunter on the server and chkrootkit is possible for every fireman.
And the general recommendations are simple - keep the minimum number of services, the minimum number of open ports, the minimum number of users (with the minimum necessary rights), keep clean (do not clog the system with packages, especially "left" and unnecessary) and consistency.
Well, backups, they are also, oddly enough, part of the server's security. Make backups of data and configs and keep them on the sidelines (not on the server itself).
Do not forget that security is not a result, but a process. It is impossible to take and "secure the server" once and for all (except by turning it off and locking it in a safe), you need to monitor security, keep versions up to date (especially if dangerous vulnerabilities are closed in updates).

Safe enough. If you do not have experience in administration, then you should not change anything. The best solution would be to leave it "out of the box".

See more here . A fairly easy to understand note about security (albeit from the "library" of linode, but I think it should be easy to "adapt" to your server / provider).