This guide doesn't cover important things like the firewall and blocking attackers (shorewall, fail2ban) and properly configuring mysql, php, etc.
If you have a small server, I'd really recommend checking out these scripts that assist with configuring and setting up a server very quickly:
http://lowendscripts.com/wiki/shell_scripts
I personally used a fork of lowendscript last year to set up some servers, but if I had to set up a new server today, I'd check out some of the other other options at that link, like Minstall: https://github.com/maxexcloo/Minstall
But this Xeoncross lowendscript fork is still very active: https://github.com/Xeoncross/lowendscript
Say I worked out your home IP (not hard), then sent a large number of failed SSH attempts with the IP address forged as yours. You are now locked out if your home server.
That's why I whitelist my IPs in $ignoreip in jail.conf.
Fail2ban is actually a vulnerability in itself.
That's a bit harsh. It's true that you may have to tweak some settings to prevent or minimize DoS attacks, but even that risk is a far cry from an attacker gaining a login or rooting the box. Fail2ban has proven to be safe and reliable in the years I've used it. Nonetheless, the old maxim holds true: Know your tools.
That's why I whitelist my IPs in $ignoreip in jail.conf.
If you are already able to whitelist your (valid) login points, why would you need fail2ban? Just whilteliste them in your firewall and/or /etc/hosts.allow.
Personally I've yet had anyone bruteforce my ssh-key (although, as I run Debian, that is just luck as it turned out...). Still, fail2ban wouldn't really have helped against an attacker that knows/can figure out my access token off line...
I need to support multiple roaming users. Manually maintaining whitelists would be a burden.
Fail2ban isn't a firewall. It monitors logs for suspicious activity and responds with an action (not limited to banning an IP). When you expose services publicly, it's one of many tools you can use to limit bad behaviour without penalizing or inconveniencing legitimate users. I also use iptables (including the recent and string modules), RBLs, and a host of other access controls. Security is a layered approach and redundancy isn't a bad thing.
Avoiding banning certain ips (to avoid denial of service) is a form of white listing. So either you're open to denial of service, or you're able to whitelist all essential access paths?
If you have a small server, I'd really recommend checking out these scripts that assist with configuring and setting up a server very quickly: http://lowendscripts.com/wiki/shell_scripts
I personally used a fork of lowendscript last year to set up some servers, but if I had to set up a new server today, I'd check out some of the other other options at that link, like Minstall: https://github.com/maxexcloo/Minstall But this Xeoncross lowendscript fork is still very active: https://github.com/Xeoncross/lowendscript