I don’t think so … I was like you, paranoid, about the security of the panel after changing from plesk a few years ago and to be fair I added a user as well as root to administer the system. Didn’t bother with 2FA, in fact that may not have even been there at the time ! I did not change the webmin/usermin ports and in all that time is a few connections to the 10000 port which appear to be bots port snooping … I run a script to kill the PID’s of non recognised connections once a month as it really is a non problem. One thing I would do is add the fail2ban rule for webmin and make that as robust as you like however take care you may ban yourself
There is already a “webmin-auth” fail2ban filter running on every fresh Virtualmin install. To see it in action, just try to log in repeatedly using a wrong password … and get ready for a 10 minutes ban
Depends who manage server.
i have few server that i mange myself only.
so i install csf firewall.
open ports 22 and 10000 only from my ips (work , home, and my cloud vps with VPN)
and public open only 80 and 443 for some website.
i feel quite with this configuration (of course in some installation is not praticable)