The config file is normally found at /etc/ssh/ssh_config. All config file items are italized and bold .
Change the default port SSH listens on:
This is really a nobrainer, you don’t really want the world to try an guess the password. Even if they can’t login, the SSH server might crash, leaving you with no access. Pick a number between 1024 and 65535. Let’s change ours to port 2022.
Port 2022
Disable SSH protocol version 1
The SSH protocol, version 1, has known insecurities in it and can be a way for someone malicious to get into your server. There’s almost zero reasons why you need to keep allowing the use of protocol 1 on your server nowadays, so disable it.
Protocol 2
Enable key-based logins
Logging in with a password is all well and good, but you can get better security by using a private and public key pair.
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
Don’t enable password-based logins
Further from setting up key-based authentication, you can go the next step, which is to allow only key-based logins. By disabling all password logins, no-one can remotely attempt a brute force attack against any account passwords on your system. The downside is that all users that need to log in need to have a key set up and working properly.
PasswordAuthentication no
No remote root logins
This one is pretty much common sense. Don’t let root log in via SSH. That doesn’t mean you can’t get root privileges remotely, as it’s easy enough to set up a user with permissions to use su or sudo.
Almost every Unix system has the superuser called root, so attackers will use this as a username they know exists on your system, and try to brute force the password.
PermitRootLogins no
Part of the text was taken from FOSSWIRE
