1. Enable a firewall and by default block all IP access to the SSH Port and enable only your staff ips or dynamic ip ranges that you trust.
2. Disable direct root login. Its always better to login as a non privileged user first and the switch to the root user. This is the norm if you are looking for PCI DSS Compliance. Edit/etc/sshd/sshd_config
PermitRootLogin no
Ezeelogin SSH Gateway has a feature called ‘AUTO SU or SUDO’ which would automatically does the switching part so you would not waste your time retrieving password of the ‘admin’ user and then entering the root password.
3. Disable password based authentication and enable only Key based authentication in the sshd configuration file. I would rate this as the most important of all.
PasswordAuthentication no
4. Enable Key based authentication. RSA is know to be more secure than DSA keys.
RSAAuthentication yes
PubkeyAuthentication yes
allowtcpforwarding no
5. Change the sshd default listening port from 22 to something like 22656 since its hard to guess and attackers would have to scan.Use custom SSH Port and Listening IPs.
Port 22656
ListenAddress 192.xx.xx.xx.xx
6. Configure a VPN and having your server behind a VPN is good idea. This would really improve the security and harden the server.