Nginx also has support for rate limiting built in.
On the topic of blocking, I block useragents starting with Mozilla/5.0 that are using HTTP/1.X, since all modern browsers default to HTTP/2.0 and anything else is usually always bad bots. You can also return 426 with the Upgrade: h2c header to let some older browsers know to use HTTP/2.0.
If you can’t find an easier way, compiling your own kernel isn’t too hard. After you’ve git cloned the new kernel, you can just copy your distro’s kernel config (they’re usually in /boot), and then use make deb-pkg -j$(nproc) to compile to a .deb file, so it’s easier to uninstall.
At the start of compilation it will ask about a few new options, you can just press enter to use the default option, or decide for yourself. Probably don’t worry about make menuconfig unless you want to.
There’s proper tutorials online if you wish to do this.
The OS doesn’t just mediate the devices, it also provides a consistent interface for software to talk to the hardware. E.g. software doesn’t care if you’re using a USB or PS/2 keyboard, the operating system handles that.
Usually in the context of servers, bare metal means it’s not running in a VM, and you are dedicated to the hardware. E.g. one server may otherwise be running multiple customers all isolated from each other using VMs, with bare metal servers you are the only customer using the hardware. They’re supposedly more secure as there isn’t another customer that could use some VM escape vulnerability and read your data. It’s nothing to do with whether you are running an OS or not (although no OS is very not practical on production servers).