Here are some steps I recommend everyone doing when setting up a server which is reachable on the internet. Below each point, I list an example configuration applicable to Debian based systems. These settings, however, may apply to any Unix or Linux system, though, you just must make sure the paths correspond to your system.
Run it on a non standard port
This will make your server not show up in standard/shallow nmap scans and thus make script kiddies move on to another server to attack than yours. Of course, your server is still findable (and attackable), but it requires just that more effort from the attacker's side, so a lot of them will move on elsewhere if they're not destined to targert you.
# /etc/ssh/sshd_config Port 9900
Do not allow root logins
I never stop being amazed of how many production systems that runs with with this setting enabled.
# /etc/ssh/sshd_config PermitRootLogin no
Do not allow password logins
Password logins have two problems. One, people tend to use insecure passwords, or are too bothered changing them regularly. Secondly, every time the person logs on to your server, he/she is at the risk of a key logger snatching the password.
Instead, insist on using keys for logging on to your
server. Only clients having their public key in the
.ssh/authorized_keys can log in to
# /etc/ssh/sshd_config PasswordAuthentication no RSAAuthentication yes PubkeyAuthentication yes
Only accept SSHv2
I believe this is standard on all new systems these days, but just confirm that you do not accept SSHv1 connections as these are not considered secure anymore.
# /etc/ssh/sshd_config Protocol 2
Put Clients That Fail a Log In in Jail
I recommend using fail2ban or similar for putting clients in jail for e.g. five minutes every when they fail a couple of login attemts. This makes brute force attacks so a lot more difficult.
# vim /etc/fail2bain/jail.conf
And configure the ssh section like:
[ssh] enabled = true port = 9900 filter = sshd logpath = /var/log/auth.log maxretry = 6