General advice would be to look boring and hide your IP as much as you are able (get a domain). As long as you’re not looking juicy you won’t attract skilled attention. It’s like locking a bike, most bad actors will just pass by looking around for one without a lock or a real fancy one worth their resources.

You can utilize Cloudflare’s free offerings, starting with simple stuff. Their DNS Proxy is essentialy a single-click but will help substantially. You can build on top of that with simple WAF rules, such as droping connection attempts from IPs originating from countries notorious for “poking around”. You can also reverse that rule and whitlelist only your country.

Keep your firewall tight, don’t expose other ports, put your services behind a reverse proxy and redirect everything to HTTPS. Start simple, constantly improve, learn more advanced methods/concepts.

I usually recommend this one. There’s a section for NPM you’ll find useful.

I used to run Authelia with NPM. It supports TOTP as second factor.