So I have a couple of servers in house, so to speak. They work fine but I'm thinking of going online for several reasons. I have some experience in Linux/BSD server admin but literally none in the security aspects of it. I can update the servers with no problem but I'm not sure I understand networking well enough to close off all vulnerable access ports. I won't have terribly sensitive data on these servers (no SSNs, etc.) but there will be privilege docs I need to keep secure. No one will know what's there unless they get in and even then, they probably won't know what they're looking at as I keep things as cryptic as possible until the final few drafts and production docs. Obviously, anything that gets filed is open source anyway. I do client transactions via a separate, secure online portal.

What do I need to know to keep a VPS from becoming a hangout for nefarious individuals?

Following!

Look at using tailscale. It's a VPN that allows you to act as if you're on your own network and not have to open any ports. You can then setup next cloud and connect that to tailscale to be able to access it anywhere.

Using an AWS EC2 might be the way. It's closed off by default and you need to explicitly confirm the ports you want to open. Most other IaaS providers do the same.