Create a non root user run your app under that user.
Set up ufw (uncomplicated firewall) block all apart from SSH, http and HTTPS. This is much easier than iptables (imo).
Disable SSH password auth. Set up keys, use them only.
Additionally set up Fail 2 Ban to monitor logs and take any additional actions you might want (IP blacklisting etc).
There are lots of guides online for hardening Ubuntu, these would be my 'must do' steps. I would recommend the Linode guides they are generally good quality (https://www.linode.com/docs/security/securing-your-server).
Also bear in mind that even without a domain name, if your app was running on the remote chances are it has already been found and probed based on IP:port alone. I would do all these steps as soon as the server is provisioned.