- Don’t run the internet facing SSH on an IP used by a key application.
- Use a dedicated host acting as a jump box.
- Use port knocking.
- Use key pairs.
- Use fail2ban.
- Don’t allow root logins.
- Restrict access to a named group.
- Don’t use shared logins.
- Don’t allow direct access below the presentation tier.
Have more ?
Ping me in the comment or in twitter and I’ll add them here.