GenieACS security hardening best practices

I was browsing the web for documentation on how to make GenieACS deployment secure and solid enough for it to run on a public IP address. I did not find any useful sources so I would appreciate a link or two /short list od tips from this community.
What I’m looking for includes but od not limited to:
Latest version of TLS configuration
Using nondefault ports on loopback interface for all nonpublic ports
Using iptables
Cpe authentication and authorization
Automatic blacklisting to prevent brute force attacks

Thanks in advance

The documentation you seek doesn’t really exist.

I would ask why you are wanting to run this on the public interface? We do all of our CPE management over a second non-public interface. This allows us to always have access to the CPE whether its in routed or bridged mode. Other things like turn off only the PPPoE/bridged interface when the cm doesn’t pay their bill to keep them from hammering on our auth server.

This is all done over HTTPS and we utilize auth to our CPEs as well (and as soon as we migrate to v1.2, auth from CPE -> ACS to prevent rogue devices).

Thanks for your response.
I suppose the solution with bridged interface on CPE and a private ACS address can be applied if you have all the equipment in your own private network. How should internet CPEs be handled? We need a way to accept traffic from internet for customers outside the standard access network, that is the reason I am doing this.

Much the same way as above. Require two way auth (acs -> CPE, CPE -> ACS), firewall and do everything over ssl.

should nginx proxying with SSL, fail2ban and CPE auth be sufficient?

And firewall. Limit your attack surface by limiting access to port 7547 to just those devices in your network.

Maby also change the Port to a less known Port.