- Change default port - but keep it below 1024!
- Setup key-based auth & disable password based auth
- setup lfd to monitor logins
Why SSH should always be below 1024:
Unprivileged users can run daemons on ports above 1024. This means that someone with an unprivileged user on your system would be able to perform a local privilege escalation exploit via crashing the SSH daemon and starting their own, fake daemon to sniff root login.
Another method to help secure SSH is to install fail2ban. Fail2Ban scans the log files for failed login attempts and after so many will ban them from using the server for a period of time.
There are many things you can do to configure Fail2Ban: