Depends on your approach, but only open the minimum amount of ports necessary. Fail2ban is a good idea.
Consider a strict default deny iptables that also affects the output table - in case someone does get in, this will limit the damage one can do by making it part of a botnet.
Personally I like to isolate any exposed servers on its own vlan, so in case of compromise, it won’t affect any of the other hardware I’m running.
Also, most routers have less strict security if the connection is coming from the inside. Make sure any access methods to your router is secure.