Below are general guidelines for reducing attack vectors over network:
Ensure unattended upgrades are enabled
Block all ports except required ones
Setup firewall via ufw or iptables
Optionally for cloud host, block ports via security group instead
SSH Port should be open to trusted IP addresses only
SSH login with password should be disabled, authenticate with a ed25519 key instead
For extra security, use a yubikey with ed25519-sk resident key
The exact steps are out of scope of this guide, please refer to other online sources or consult the community discord. Below are some good 3rd party guides for reference: