• Don’t run the internet facing SSH on an IP used by a key application.
  • Use a dedicated host acting as a jump box.
  • Use port knocking.
  • Use key pairs.
  • Use fail2ban.
  • Don’t allow root logins.
  • Restrict access to a named group.
  • Don’t use shared logins.
  • Don’t allow direct access below the presentation tier.

Have more ?

Ping me in the comment or in twitter and I’ll add them here.