For me, the answer to 'hardening' is to use an open source zero trust solution which is always outbound only thereby cannot be subject to network level attacks (OSI 3-5), e.g., DDoS, brute force, CVE exploit etc