This post is made for debian based linux distros.

Don’t expose ssh, use a VPN

This is obviously not viable for stuff running in the cloud but for a homelab server its advised to not expose ssh or management ports, if you need external access use a free VPN service like Tailscale or self-hosted Wireguard.

Non-root account for logins / Disable root login

Disabling the ability to login as root helps with many automated bots that brute-force ssh into your server, start by making a new user with any username you want