In the same time I'm running a number of personal VPS's facing the internet (I host email server, web server, vpn, to name the few) and I have never had problems. To keep myself thinking I'm running those services in secure way I run all of them in rootless containers (I use podman)
I'm wondering if selinux is something worth looking at. Have you ever seen it preventing "an attack"? (I imagine somebody exploiting some zero-day in the wild and selinux stopping such individual from moving further and in the same time rising alarm to the owner)
When policies and environments are setup correctly it can and will help protect the system.
Scenario: The target; A DMZ, forward facing system running an application such as Apache.
A zero day exists in the apache service that allows code execution as the running user; say apache for example.
If care has been taken with an selinux policy that prevents the apache user from executing anything but the shared libraries and binaries associated with the apache web service then an attacker that gained access as the apache user would not be able to escalate privileges or engage in further local attacks on the system due to the policy constraints.
Resources: The URI https://www.serverlab.ca/tutorials/linux/web-servers-linux/c... provides some exmaples for apache however the following URI https://access.redhat.com/documentation/en-us/red_hat_enterp... (see procedure 3.2 & 3.3) for details on using selinux to confine processes and users.