A lot was written and warned about misusing server based on older OpenWrt releases....
I have a question: is not the most likely way to break into server over SSH and finding password with some brutal force algorytmus?
Is there already implemented protection in OpenWrt in case too many unsuccessful attempts it will not allow login for some predefined time? I am not an super expert but I can imagine misusing server if I can SSh into it...
And I did this from Thailand while server was in Europe
If I should have a fear I can imagine to have fera for this reason, all others for me seems to be almost zero probability to happen
Also regularly rebooting everyday would change dynamic IP address everytime...
-Many docs highlight the advice to disable password logins and use keys only. This negates brute force
-The syn flood limit default rule slows chritmas and new connections, you may wish to lower the limit and burst to 1/3 for significant effect or create a similar specific rule for port 22/ssh ( or run on alternate port for a tad of obscurity )
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
Web search for "iptables limit ssh"
-A WAN ip MAY change in reboot. That is what dyndns is for.
-A server is only vulnerable as you discuss........if it's ssh port is "forwarded" to the external address of the router. Most admins would not do that and would use some sort of tunnel, the simplest being ssh_forwarding using certificate authentication.
So yes, there are a few key precautions.... that when taken, offset much of the risk exposure. If you don't need WAN access via ssh disable it on the external interface.
o' fail2ban and fwknopd are two more things if your up for some learning.... knocking is probably the simplest and most effective bang for the buck.
I'm using BearDropper on my system, works a treat. Monitors for repeat unsuccessful logins from the same address and then inserts the source IP into a iptables blocklist for a predetermined period.