there are some things you can do to secure your server, more or less no matter what you want to do with it later.
unattended upgrades
unless you have a good reason not to do this, you should enable unattended security updates.
on debian/ubuntu, you can just install the unattended-upgrades package, which should come preconfigured to do security updates.
fail2ban
fail2ban checks logs, for example those of sshd, for failed logins (or anything that it has a rule for), and blocks the corresponding ip addresses. if you dont need anything special, just install it and enable the service!
on ubuntu, thats
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
disable ssh password logins
to be safe against brute-force attacks, you should enforce logins with keyfiles instead of passwords.
if you dont have a keypair yet, run ssh-keygen on your computer (not on the server - the private key should never leave your machine!), which should guide you through the creation process.
afterwards, you should find your keypair in ~/.ssh/ - the private key should have a name like id_rsa or id_ed25519, or whatever algorithm is the default at the time you read this. the public key has the same name, but with a .pub ending.
then, add your new public key (meaning the contents of your .pub file) to ~/.ssh/authorized_keys on the server.
you should now be able to login without a password already. if not, check /etc/ssh/sshd_config for
PubkeyAuthentication yes
and restart sshd with systemctl reload sshd.service.
when this is working, disable password logins with
PubkeyAuthentication yes
PasswordAuthentication no
and again, restart sshd.
etckeeper
etckeeper basically checks your whole /etc directory into a git repository.
any changes made by updates are automatically commited, so you can go back if you want.
just install the etckeeper package.
nice to have!
set a hostname
this one is more on the cosmetics side of things, but its nice to see a hostname that kind of identifies the machine you are on to you in the shell prompt.
edit /etc/hostname to whatever makes sense to you.
you should also change the hostname in /etc/hosts - edit 127.0.1.1 <old_name> to have the new name. this file is used for name lookups, so things might break if you dont change this.
afterwards, either restart, or run sudo hostname <new_name>, which will set the name until you restart next time.
backups
if you have any data worth keeping, have automated backups of some kind! i like to use restic for this. another popular choice would be borg backup. there are plenty of tutorials out there, try using your favourite search enginge. :)
tech