Always change the default port for ssh. Seems to cut down chinese sourced spam in the logs. Generating a key isn’t all that difficult either and is preferable to entering a password.
I also disable root login and restrict sudo to a defined admin group then work my way through things like SYN and ICMP in /etc/sysctl.conf. However as your question is firewall related the above and most of the rest that I would suggest is out of scope.
I generally start with Centos base and install what I need by hand. I find more comfort in that than trying to remove all the junk, usually outdated, that comes with the other installs like server/desktop.
I also tend to hate SELinux and disable it. It seemingly breaks everything.