A default SSH configuration is a common attack target. These steps reduce your attack surface significantly by changing defaults and restricting access.

Change the Default Port

Edit /etc/ssh/sshd_config and change:

Port 2222

Disable Root Login

PermitRootLogin no

Limit Login Attempts

MaxAuthTries 3

Restrict to Specific Users

AllowUsers alice bob

Use Fail2Ban to Block Brute Force

sudo apt install fail2ban
sudo systemctl enable fail2ban

Restart SSH after changes: sudo systemctl restart sshd