No.1 – if you don’t use it turn it off
# Turn off ssh
sudo systemctl stop ssh
sudo systemctl disable ssh
sudo systemctl status ssh
# Turn it back on
sudo systemctl enable ssh
sudo systemctl start ssh
sudo systemctl status ssh
No.2 – Change SSH default port
# SSH Config file locate at /etc/ssh/sshd_config
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup
sudo nano /etc/ssh/sshd_config
# find Port 22
# Uncomment the line and change 22 to other numbers
Port 1234
sudo ufw allow 1234
sudo systemctl restart sshd
No.3 – Disable root account to login via ssh
sudo nano /etc/ssh/sshd_config
# find #PermitRootLogin prohibit-password
# Uncomment the line and change to
PermitRootLogin no
sudo systemctl restart sshd
No.4 – Disable password login
# Make suer you can use key base login to server before change this setting
# on client machine
ssh-keygen
# copy key_id to server
ssh-copy-id user@server
# try ssh into server to check does it ask you for password, if you don't need to use the password to login then proceed to next step
sudo nano /etc/ssh/sshd_config
# find #PasswordAuthentication yes
# Uncomment the line and change to
PasswordAuthentication no
sudo systemctl restart sshd
No.5 – Restrict IP address at Firewall
# Only allow your work computer IP address to access to the server
sudo ufw allow proto tcp from 192.168.1.88 to any port 22
# or to specific subnet
sudo ufw allow proto tcp from 192.168.1.0/24 to any port 22