Whenever possible, use the SSH2 version of the SSH protocol. It contains several improvements over SSHv1. Some of those improvements include a different set of improved and stronger algorithms for encryption and authentication. Use the protocol configuration directive in the SSHD config file followed by two to force version two of the SSH protocol. By default, SSH will listen on all addresses on the system. If you want to control what IP address SSHD binds to, use the listen address directive and specify the IP to listen on. If you want to listen on multiple IP addresses, use multiple listen address lines. You can use this in situations where you have a system that is connected to both a public and a private network. This way you can force SSH to only listen on the private network and reduce your attack surface. By default, SSH runs on port 22. If you want to change the default port, supply the new port number to the port directive in the sshd_config file. Changing the port that SSH listens on can reduce the number of unwanted connections. However, if an attacker is specifically targeting your system, it would be a rather simple task for them to do a complete port scan of your system and to find the port that SSH is now running on. If you do change the SSH port and you're using SELinux, you need to update the SELinux policy to include the new port. Run semanage port -a -t ssh_port_t -p tcp followed by the new port number. To check that the port was added, run semanage port -l and you can grep for ssh Avoid unnecessary information leakage. You can use the banner directive to display the contents of a file to a remote user before they are allowed to authenticate. Historically, that file has been /etc/issue.net. If you're using such a banner, try not to disclose any more information than you have to. I've seen some people put the distribution name and version, the kernel version and other random information that can be used by an attacker. If you have to use a banner per company policy, follow the policy, but keep in mind that anyone who attempts the connection will see that information. To disable the banner, set banner to none. It's important to note that any changes you make to the sshd_config file will not take effect until the SSHD process rereads the configuration. On a system that is using systemd, you would run systemctl reload sshd to force the configuration to be reloaded. In this video, you learned some ways to secure your SSH connection. This was by no means an exhaustive treatment, and you may have special considerations for your specific environment. Be sure to refer to the ssh, sshd and sshd_config man pages for more information.