Small business IT/Server/Security infrastructure

Small business IT/Server/Security infrastructure

I'm responsible for everything IT in a small business that hosts and
maintains a web based system used by 100+ users every day.
We're at a point where we're growing out of our "just make it work"
startup design.
I'm no expert at any of this, so I thought it would be wise to ask here
for advice.
This is what I'm thinking:
We get a permanent IP for the office and make sure that all access to our
server: MySQL, SSH is limited to only that IP.
Then we get an extra server for the office that can be an DHCP server and
SSH tunnel. So if we're not at the office, we can still connect to the SSH
tunnel and access our other server if we need to reboot or do database
changes and things like that.
Our server that hosts the system is an Ubuntu system.
As a web server we've used XAMPP because it's so simple. But how secure is
it? Should I use another setup? How hard is it to make it 100% secure? if
it's possible.
What do you think?