I have a personal server that has served me well on my local network - mostly as a file server over SSH - and it worked well for what it is. My personal network has a stable-ish public IP address. I recently intend to open it up for use of my family members, however am unsure of how. The concerns:

1) Family members are generally trusted, but they come from uncertain IP addresses. I know from past experience that exposing password-authorized port 22 to public internet is generally a bad idea (the Chinese/Ukrainian bruteforcing comes within a couple hours, and they won't stop till you're pwned), and I can't just restrict it to local network if it is going to be usable.

2) Public key-only SSH might be an option, but how do I make sure the keys are secure in transit / at the clients?

3) Fail2ban is another option I've thought about, however I'm unsure about how to balance between brute-force deterrance and usability.

4) Is there any other file-serving protocol that is safer than SSH/sftp, i.e. stuff that is more sandboxed and does not grant ability to execute code, even if it's compromised? This might be a good way to get around trying to secure SSH connections from the internet, but I don't know much about the alternatives - ideally it should be something that's relatively easy to setup, Nextcloud seems a little intimidating.