SSH - change port, disable root login, disable password login, setup SSH keys using SK(YubiKey in my case)
nftables - I use https://github.com/etkaar/nftm to keep things quick and simple. I like the fact if will convert DNS entries to IPs. I then just use dynamic DNS update clients on all my endpoints
WireGuard for access to services other than SSH(in some cases port 443 will be open if its a web server or proxy)
rsyslog to forward auth logs to my central syslog server
One of the main reasons I run my own instances (Mastodon and Lemmy). Keep the garbage blocked and out of sight.