A bare metal or virtual private server connected to the public internet is a huge target. Botnets will scan it within minutes for vulnerabilities and brute-force access. Securing your server should be your absolute first priority before installing any applications.
Using a password for the root user is considered insecure. Instead, set up an SSH key pair. Once your public key is added to the ~/.ssh/authorized_keys, disable password authentication entirely inside your /etc/ssh/sshd_config file.
Uncomplicated Firewall (UFW) is built into Ubuntu and is extremely easy to use. Enable it and allow only the specific ports you need, like port 22 for SSH and ports 80/443 for web traffic. This immediately limits your attack surface.
Fail2Ban monitors your system logs to find multiple failed login attempts. If an attacker tries to guess your password too many times, Fail2Ban blocks their IP address at the firewall level for a specified duration. This makes brute-forcing statistically impossible.
Following these three fundamental steps drastically increases your security posture on any new deployment.