Intruders will conduct reconnaissance on your network and servers before performing the attack. After that, intruders will perform the attack based on the information in hand.
In my opinion, the best way to defense your network and servers from being attacked is to interfere with the intruders' reconnaissance. When intruders cannot get any valuable information, they cannot perform the attack properly.
Most of the intruders use automatic tools, such as vulnerability scanners, to perform the reconnaissance and they seldom do it manually as it is harder for them especially for web applications. However, a small portion of advanced intruders may do it manually.
Hiawatha, a secure and advanced web server, can be configured to block vulnerability scanners from scanning the web server. Since the vulnerability scanners do not work properly, intruders cannot get any valuable information on the web server in order to launch an attack.
Suricata, a high performance network IDS, IPS and network security monitoring engine, used with Emerging Threats rules can be configured to drop the packet of the vulnerability scanners from scanning.
Web Application Firewall (WAF) and Intrusion Detection/Prevention System (IDS/IPS) as well as firewall can be bypassed by some of the advanced intruders. Therefore, blocking the vulnerability scanners is one of the good ways to defense your network and server from being attacked.
That's all! See you.