@zandertrek Thank you for the kind words. Don't take the above to promote complacency. I favor "The Unix Way": Specialized tools that do one task very well over the more "Monolithic", all bundled into one approach favored by e.g. MS. Thus, I really appreciate NodeBB's "modular" approach.
Along related line of thought: I also favor a "layered onion" approach to security. Hence, preferable, imho, to endeavor to block as much nefarious crap as possible before it hits my app server.
Firewall rule sets restricting ports to those actually needed.
Web Application Firewall, a.k.a. WAF. License restrictions preclude binary distribution of Nginx's ModSecurity 3.0 module so one must compile it themselves. A bit too much of a PITA for many. Apache modules do not have such restrictions. Both utilize, the OWASP rulesets, wh/can be challenging to grok, i.e. not a quick and easy one click deployment. But boy, once set up it does an excellent job. That said, WAF's, even commercial offerings, are routinely defeated by dedicated and knowledgeable black hats. Or so I am told by some grey hat types.
Fail2Ban is simpler to deploy and hence favored by many.
Hope this helps but yeah, it is a fsck'n jungle out there.
P.S.; Oh yeah, iirc, modsec3 can also be integrated with Varnish. I've only dinked around with Varnish. Not for the feint of heart. More enterprise oriented than small hole in the wall sites but deserves a mention whilst I am at it. As an aside, I don't know what magic incantations PHK and crew have up their sleeves but it is very effective against temp email addresses.