The most important things to remember are:
- Keep your sshd ("ssh daemon") program scrupulously up-to-date, along with all of the libraries (crypto and so-forth) that it uses.
- Understand the SSH configuration (see: man sshd_config).
SSH has the very
annoying characteristic that it will start by offering the toughest challenge, but it will then offer (and accept) successively weaker
alternatives! You need to configure your system to accept only
"digital certificates," and
to refuse simpler alternatives like passwords. You should accept only "protocol #2."
A digital certificate is like a non-forgeable (and, individually revocable...) identification badge. The badge can be password-protected to prevent it from being presented by the wrong person, but the bottom line is that in order to connect to your system a valid badge must be presented. (You can issue and revoke the badges without costing any money.) A hacker can knock at your door until he's blue in the face, but he'll never get inside.
Put as many obstacles in the way as you can. For example, close all
the inbound pathways except a VPN-portal maintained by your hardware router... once again, secured using digital certificates (not "pre-shared keys"). It's better to keep the hackers outside of the chain-link fence topped with concertina-wire, rather than to let them be milling-about in the front lobby.
Having set-up this system, now actively maintain it. Issue certificates (of the various types) with a drop-dead date and change them periodically. Issue individual
certificates, so that each one can be individually revoked.