I just posted Linux Chelyabinsk Event which explains in layman’s terms what happened with the long term infiltration of XZ Utils. Briefly, a long term infiltrator kinked the package to create a back door within SSH.
You do you, obviously, but I don’t have time for this shit, so here’s what I do.
Default routes are a convention, not a requirement. Any system I have that is serving content is 1) hiding behind Cloudflare, 2) only has static routes to Cloudflare IP ranges, and 3) gets its updates and such via a local firewall VM that does have a static route. Fiddly to maintain, but I never wake up at 0300 wondering if something’s amiss.
There is no need to offer sshd access to the whole damn world. I use /etc/hosts.allow to limit access to it and it doesn’t hurt to configure UFW, Uncomplicated Firewall, as well. I don’t horse around with changing the default port, that just causes headaches at the worst possible moment.
You can lock yourself out with any one of those methods. If you’re puzzling over where to start, /etc/hosts.allow is the one where you’re least likely to shoot yourself in the foot. Even so, be sure you’ve got some sort of remote console access to systems before you engage it