I share services with the public, so… strong passwords on everything, MFA, host scanning, SSH MAC/KEX/ciphers tweaked to ultra modern set and exposed only with keys with f2b activating on first failure, constant backups and automatic updates and scheduled reboots. Has worked great for a decade+.

SSH key auth for terminal login, plus an nginx proxy and client cert auth on anything accessible by the outside world. I’ll expose any internal service I want because nobody is getting through the client cert auth.

I use a non standard ssh port, Fail2ban, wiregusrd vpn for some services

deleted by creator

TOTP MFA highly recommended on SSH and webconsole. The so called “google-authenticator” makes it easy and despite the name does not use any external Google services.