I find that a very good, low cost, low friction measure is to do IP based mitigation only for sensitive ports (ssh, rdp, smb, etc). Ideally you implement an IP white list that you store in a safe and reliable place (cloud storage?). And your servers refresh that IP list every 5 minutes and modify the firewall if it changed. Easy to implement.
Only you can talk to sensitive ports. And the server is available to the rest of the world for non sensitive things. And if you connect from a new IP, within 5 min you have access to the server (I have a scheduled task that updates the IP list with my current IP so I usually don’t even wait).
Only you can talk to sensitive ports. And the server is available to the rest of the world for non sensitive things. And if you connect from a new IP, within 5 min you have access to the server (I have a scheduled task that updates the IP list with my current IP so I usually don’t even wait).