Within a few minutes of your ClearOS instance being on a public IP, there will be a flood of attempts to compromise it. So you should use a very strong password. Even better is to set up Two Factor Authentication.
This protects the ClearOS admin panel (Webconfig). Once you are logged in, you can use the Dynamic Firewall to temporarily permit access to other apps (SSH, VPN, etc)
Status as of 2017-11-24: The app is complete. Next step is to ask ClearOS community to test extensively.
yum --enablerepo=clearos-updates-testing,clearos-contribs-testing install app-two-factor-auth
Once installed, find the relevant admin panel and configure for your needs.
The information about the configuration is at /etc/clearos/two_factor_auth.conf (useful if you can't log in via the ClearOS admin panel because you are not receiving the emails)
If you need to add more than one email address (which is typical for the root account, just create a redirect ( rootmfa at example.org -> joe at example.org and jane at example.org and use mail forwarding.
You can also forward emails to SMS but be aware that SMS-based two-step verification is no longer recommended by NIST