Disable all inbound ports in the firewall except for those you absolutely need (like port 80/TCP, port 443/TCP, sshport/TCP, DENY all other inbound)
Use the principle of least privilege. Don’t run your docker containers or web server as the root user. Make a new user, give it only the permissions needed in order to run the service definitely not sudo group. Set a strong password for those users, and disable remote/SSH logins for them
For SSH, use public key authentication, disable password login afterward
Instead of fail2ban, I like and would recommend Crowdsec. Needs some fiddling for Lemmy though, due to rate limits and federation
Practice standard server security.
rootuser. Make a new user, give it only the permissions needed in order to run the service definitely not sudo group. Set a strong password for those users, and disable remote/SSH logins for them