I think I know the answer, but wanted some people's opinions.
I'm using rsync to transfer a directory from a bunch of remote machines, to a server (Debian 9) on our network as a basic form of backup.
SSH is on a non-standard port, and locked down to the subnet the remote machines are on. Authentication is done with a certificate, for a non-root user, who also doesn't have sudo privileges - just read/write to the directory it the remote machines rsync to.
Have I done everything I should?