Securing SSH

Script kiddies these days still try to take over servers by brute-forcing their way through an insecure SSH server, sometimes hammering the server with so many connections that it becomes unresponsive. With some basic steps a server can be secured.

The most important thing before starting to secure the server would be a strict enforcement of password rules. No user or system account should have a weak password (even better: use a key-based authentication).

Furthermore check your sshd_config settings and edit them to your needs, for a small server these settings should help:
LoginGraceTime 30 (a user has 30 seconds for a successful login)
StrictModes yes (enforce file security)
MaxAuthTries 2 (disconnect after failed attempts)
MaxStartups 3:30:10 (amount of unauthenticated sessions:percentage that session is rejected:max sessions)

More advanced security: You can secure your server with a monitoring daemon that actively scans your log files for intrusion attempts and temporarily adds malicious hosts to a firewall rule that drops all further connections. One of these tools is fail2ban, which can be easily configured to monitor your ssh logfile and and set your iptables firewall to drop those connections. You can even get a nice email message from your fail2ban daemon.