The OWASP® CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. The CRS provides protection against many common attack categories. You can run this as a Proxy-filter to implement all the OWASP rule sets at once. With NGINX you need to use the latest ModSecurity. For NGINX you can compile CRS inside ModSecurity
UFW
Simple firewall module - not handy if you use dockers
Samhain
Samhain is a Linux based intrusion detection system it provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes. You can run this on your desktop and servers. Samhain has been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance, although it can also be used as standalone application on a single host.