sudo apt-get update sudo apt-get install openssh-server sudo ufw allow 22
That’s the very minimum. It allows unlimited failed password attempts on a known port. Direct root-login is disabled (you can still su and sudo once logged in). If your username and password are guessable and the Internet can see the server, somebody will eventually break in.
You need to harden it from the standard setup. I’ve gone through several suggestions on my blog but at the very least, I’d suggest:
- Key-based logins. Disable password logins.
- Move it off port 22. Use something crazy-high, in the 20000-60000 range.
fail2banto ban people who do find it and try to brute it.
They take about 10 minutes in total and you go from a 1/10000 chance of being broken in to a probability so small, there isn’t enough paper in the world to write its fraction… Assuming you’re careful with your key, it has a password of its own and you don’t trumpet your credentials all over the net.
If the computer is behind a router, you’ll also want to do some port forwarding. This is router-specific so I’ll just direct you to http://portforward.com