Ways to make SSH more secure

SSH was designed as a replacement for Telnet and for unsecured remote shell protocols. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. I concluded some ways to make SSH more secure as below.

1.Create a non-root user

adduser yourusername
su yourusername

2.Create SSH keys

Create key pairs and set a password that will not be guessed easily.

mkdir ~/.ssh
chmod 700 ~/.ssh
cd ~/.ssh
ssh-keygen -C yourmail@yourdomain.com

Back up the key files id_rsa and id_rsa.pub, and copy the public key for SSH authentication
cat id_rsa.pub > authorized_keys

Change the permission
chmod 600 ~/.ssh/authorized_keys

3.SSH configuration

Change SSH port from 22 to 8022(change it as you like). Disable root login and enable key authentication.

vi /etc/ssh/sshd_config

Port 8022
PermitRootLogin no

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys

PermitEmptyPasswords no
PasswordAuthentication no

ChallengeResponseAuthentication no

Restart SSH service and reconnect your server with key authentication(you need to import your private key to your SSH client).
service ssh restart

4.Firewall

Set firewall rules and allow SSH only.
The port must be the same as the port of SSH you configured above or you will not be able to login.

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 8022 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

Save rules
iptables-save > /etc/iptables

Try to connect SSH with password, you will find out failed to authenticate. Now you can access SSH with private key only, so keep your private key safe and don't forget to back up it. If your private is revealed, you must regenerate SSH keys and change your authorized keys immediately.