In this scenario you install the single node on the VPS and the built-in firewall is enough.
As said:
Probe attempts can be blocked/mitigated with
- Crowdsec application (released)
- Change of ssh default port (documented here NS8 Change node SSH port 22 permanently - #15 by davidep)
- Limit HTTP access from certain IPs (planned and documented here How do I prevent the administration page from being accessible from the Internet? - #2 by davidep)