Dropping instead of blocking might technically be better because it wastes a bit more bot time and they see it as “it doesn’t exist” rather than an obsticle to try exploits on. Not sure if that is true though.

For me:

• ssh server only with keys

• absolutely no ssh forwarding, only available to local network via firewall rules

• docker socket proxy for everything that needs socket access

• drop non-used ports, limit IPs for local-only services (e.g. paperless)

• crowdsec on traefik for the rest (sadly it blocks my VPN IPs also)

• Authelia over everything that doesn’t break the native apps (jellyfin and home assistant are the two that it breaks so far, and HA was very intermittent so I made a separate authelia rule and mobile DNS entry for slightly reduced rules)

• proper umask rules on all docker directories (or as much as possible)

• main drive FDE with a separate boot drive with FDE keyfile on a dongle that is removed except for updates and booting to make snatch-and-grabs useless and compromising bootloader impractical

• full disk encryption with passworded data drives, so even if a smash and grab happens when I leave the dongle in, the sensitive data is still encrypted and the keys aren’t in memory (makes a startup script with a password needed, so no automated startups for me)

For more info, I followed a lot of stuff on: github.com/…/How-To-Secure-A-Linux-Server