if any services are available from outside (ssh, mysql, phpmyadmin), set limited access for them - ip white list, access by keys (in case of ssh), install and configure fail2ban. Better yet, inspect the outgoing services, and analyze the possibility of disabling access to them directly from the Internet.

now it is desirable to raise the VPN and make friends with your router (or PC on the edge), so that access from the outside is only through the VPN. ssh and all other services should only respond to your VPN network.

In addition to access settings (firewall/iptables), all unexpected requests to the web server should be disabled:
How to protect websites from hacking?

It’s easier to immediately install something like vestacp or centos webpanel (I recommend) or any other free one, installed with one command and puts with it everything you need for hosting, including Apache databases, puffs, FTP soap, etc.
Well, it’s convenient to manage all this later.
Well, at the expense of protection - a normal password, the ssh port can be confused, for special paranoids White list can be done. And so everything is out of the box. Although a hole was found in the same vesta last year, so if you are paranoid, then everything is handled)

The settings of the software that you have installed are quite reliable by default, you will change them - then already look. Closing unopened ports with a firewall is like putting a handbrake on a car without wheels. A VPN by itself does not add security, it's just 1 more network interface.

You can set up a firewall in 2 minutes with ufw