Some I haven’t yet found in this thread:

• rootless podman
• container port mapping to localhost (e.g. 127.0.0.1:8080:8080)
• systemd services with many of its sandboxing features (PrivateTmp, …)

They aren’t on the internet mainly.

My router (opnsense) has a wireguard server which is how I access things when out of the house.

I do have a minecraft server for my friends and I, but that VM is on its own network isolated from everything else.

To add some points, that I do:

• Proper logging: So I could realize something unusual is going on
• rootless podman container: harder to escalate privileges and gain root
• Apparmor: same, plus it could trigger suspicious log entries

Disable password authentication on SSH

Enable firewall and block all ports you’re not using(most firewalls do this by default)

Switch to a LTS kernel(not security related, but it keeps things going smooth… Technically it is safer since it gets updated less often so it is a bit more battle tested? Never investigated whenever a LTS kernel is safer than a standard one)

Use Caddy to proxy to services instead of directly exposing them out

HTTPS for web stuff(Caddy does it automatically)