Uncomplicated firewall (ufw) will be provisioned, configured and enabled on Internet Gateways.
It will deny all incoming and outgoing network connections.
It will allow all outgoing connections.
It will allow ssh incoming connections.
It will allow incoming connections on ports 80 and 443.
Any application that would need to use a listening port different from the ones above will need to "allow" it through ufw.
journalctl on Internet Gateways and servers on The Edge made it clear that automated attempts to log in through virtually every port on the devices via different protocols have been performed continuously.
How can we decrease the risk of penetration and drop connection attempts to ports that we would not like to allow?
We didn't explore any additional options but ufw as it was just a matter of enabling it on our Internet Gateways. Its configuration compared to iptables is much more intuitive. It's also persisted and loaded with each restart of the underlying VPS.