Hardening Keycloak?

How are people hardening keycloak? For example, turning on bruteforce which is off by default.

One thing I do is to protect /auth/admin is use a filter limiting /auth/admin/ access to the localhost administered with a secure remote desktop connection, like this:

<server>
...
<host name="default-host" alias="hostname.domain">
    <location name="/" handler="welcome-content"/>
    <http-invoker security-realm="ApplicationRealm"/>
    <filter-ref name="ipAccess"/>
</host>
</server>
<filters>
<expression-filter name="ipAccess" expression="path-prefix('/auth/admin/master/console'
) -> ip-access-control(acl={'127.0.0.0/8 allow'})"/>
</filter>

But it could also limit access to a administrative VPN pool or other specific addresses.

A good starter is to read this chapter of the docs and consider which tasks are necessary for your environment: Server Administration Guide