Securing a web server is a large topic, more fit for a book (or series of books) than a Stack Exchange answer. With that being said, I'll address a few points.
but what it doesn't talk about is protection from viruses, malicious code, and brute forcing from behind the network firewall.
Generally speaking, we don't concern ourselves much with virus-type infections in Linux. The target percentage of computers is much lower, the permissions systems (and things like SELinux) help prevent a lot of issues that would arise, and installation of software only from trusted software repositories help reduce this threat.
Keep your server up to date, subscribe to the Ubuntu security announcement list, and don't run untrusted software. And don't disable AppArmor.
General advice in security circles is that once any sign of infection is found, you should nuke (erase) the server and start from scratch, rather than trying to clean out any infection. To this end, you should configure (and test!) regularly-scheduled backups. It's also a very good idea to use a configuration management tool (I like Ansible) for all of your configuration, rather than doing it by hand, so that you can bring up another server instantly.
One final recommendation I have is to install fail2ban. It's most often used to protect against SSH brute-force attempts, but it also ships with configuration files for a number of other common brute-forced network services. If you use Ansible, configuring it becomes much easier due to the presence of includeable roles from their community repo.
I should be relatively safe for an unindexed web server
There are bots constantly scanning the entire known IPv4 address space for servers, so you should never assume that simply because your server is not publicly linked to, it won't be found.