Here is a list of things I do to secure my server.

1. Turn on UFW (sudo ufw enable) and then only allow ports that are actually used. (sudo ufw allow 80)


2. Make sure MySQL only allows connections from localhost.


3. Enable TLS on mail services. Even if it's a self-signed cert. You don't want passwords sent in the clear.


4. Install ssh bruteforce blockers like denyhosts or fail2ban. (sudo apt-get install denyhosts)


5. Look into making ssh key-based logins only.


6. Learn AppArmor. If you use fairly vanilla configurations, then it's extremely easy. Just make sure it's turned on. It will help reduce zero-day exploits.


7. Depending on physical access to the server, you may even want to look at encrypting the data on the harddisk.


8. Follow other recommendations in https://help.ubuntu.com/18.04/serverguide/security.html.


9. Never trust your users. If you are having multiple users with access to the system, lock them down. If you have to give them sudo access, give them only what they need.


10. Use common sense. Think real hard about how you'd get in if you were ever locked out. Then close those holes.

A few more things to consider. Most people forget about physical access. All the software configurations in the world don't mean anything if I can physically walk in with a LiveCD and steal your data. Beware of social engineering. Ask questions to verify who is on the phone and make sure they have the authorization to make the request they are making.

You can read up more about this subject on https://help.ubuntu.com/18.04/serverguide/index.html and pay special attention to https://help.ubuntu.com/18.04/serverguide/security.html.