It’s not really recommended to make OSMC internet facing, as it is not designed to be a hardened server OS and has a publicly known default user account and password (osmc/osmc) and password-less sudo to root.
However if you absolutely must, port forward only SSH and make sure you change the osmc password to something impossible to guess. (No common words etc) There are no other user accounts enabled by default (not even root is enabled) but be aware that third party packages you install might potentially create other user accounts.
I would also recommend putting SSH on a random high port when forwarding from your router so that it is not subject to constant script kiddy password brute force attacks as they tend to only target the default ssh port.
A VPN would be a better option but is obviously a lot more work to set up.
Do NOT port forward to the Kodi web interface (there are known exploits for it) or ftp/samba.
i disabled Kodi web interface, and not planning enabling it back, i don’t need it.
all i think of to access is either SSH (yes, on a custom port) and Torrent app webinterface (again, custom port with user/password auth).
Be aware that the torrent app web interface is a potential security hole. OpenSSH server (which we use) is well tested and hardened and as long as it’s configured sensibly and the password isn’t short or guessable should be pretty secure, a web interface for a random torrent app is not likely to be well tested or secure, quite the opposite probably. Not to mention that it probably sends your web interface username and password in the clear using HTTP basic authentication. If it were me I wouldn’t do it.
You could use ssh port tunnelling to connect to the torrent web interface - that way the web interface is tunnelled through the encrypted ssh session, and only someone who has ssh login credentials can even get at the web interface at all. Most common ssh clients such as Putty support port tunnelling.