If you Expose ssh Publicly…
…run it on a high port
This seems like obvious advice but I see it so often ignored…. Yes, putting ssh on another port is obscurity – but it freaking works. It doesn’t prevent someone from cracking your password via ssh, you should have other mechanisms for that. It just prevents all the noise, all the mindless bots scanning port 22.
…disable root logins
This is default on most distributions but I still talk to people who think it’s ok to enable this. There’s just no reason. Use sudo & public keys.
If you are really concerned about security, only allow public key access. This is how most of the bastion hosts I have experience with work and I haven’t seen many problems with it. Not to say it’s perfect, but it’s pretty good.
I mean two things by this: Audit who has access by reviewing your logins & key files. I also mean you should audit who is actually accessing your bastion host and who is trying and failing.
…keep it updated
Every once in a while a critical patch comes along for ssh. Apply it when it does. Quickly. It’s that simple.