- Change default port - but keep it below 1024!
- Setup key-based auth & disable password based auth
- setup lfd to monitor logins
Why SSH should always be below 1024:
Unprivileged users can run daemons on ports above 1024.
This means that someone with an unprivileged user on your system would be able to perform a local privilege escalation exploit via crashing the SSH daemon and
starting their own, fake daemon to sniff root login.
Another method to help secure SSH is to install fail2ban. Fail2Ban scans the log files for failed login attempts and after so many will ban them from using the server for a period of time.
There are many things you can do to configure Fail2Ban:
- You can whitelist your IP so you can't be banned for making too many mistakes.
- If your server is a hotspot for attacks, or you're just weary, you can tell Fail2Ban to permanently ban.
- You can even add your own rules, for instance, banning attempts to use the ShellShock exploit.