A perfect example of why one should use SSH over a mesh network like Tailscale, and don't expose over the public internet. No attack surface means no attack.
I love TS just for this reason. All ports are locked and ssh-ing is possible only via TS. And for public facing web apps I open only 80 and 443.
Does anyone have any experience with CF tunnels on free account? Is it actually free for smaller apps with less than 1TB of traffic per month? I was wondering about switching to CF tunnel which would mean I could also close 80 and 443 ports and block China (because I read somewhere that most of DDOS attacks come from Chinese locale botnets).
For some additional peace of mind, you could also use something like Authentik in front of your web apps, so you don't expose the apps themselves, only Authentik. You can then use the IDP of your choice within Authentik for authentication.
Does anyone have any experience with CF tunnels on free account? Is it actually free for smaller apps with less than 1TB of traffic per month? I was wondering about switching to CF tunnel which would mean I could also close 80 and 443 ports and block China (because I read somewhere that most of DDOS attacks come from Chinese locale botnets).