If you are going to open your ssh server to the world, I would recommend running it on a non-standard port (I have mine running on an unassigned port, according to
this list, and I haven't had a single attempted entry). You could follow Ramurd's advice if you insist on running it on the standard port 22, but it is easier to run on a non-standard port in my opinion (otherwise you would have to forward two ports to your computer, and though a good iptables firewall would reject any malicious attempts on your ssh server, you are still opening up your computer to increased attacks, regardless of whether or not they are successful). Then set up your router to forward connections from that port to your computer. I have my /etc/hosts.deny set to "ALL : ALL" and I just allow my local LAN to access services from my server, but to allow access to sshd from the outside world, regardless of the port you have set in /etc/ssh/sshd_config, the following in /etc/hosts.allow does nicely:
Of course that only applies if you have a similar setup, in which you deny everyone and accept only those on a whitelist.
Definitely change "PermitRootLogin" to "no" in /etc/ssh/sshd_config, and if you have a good iptables firewall setup, be sure to add a rule allowing connections to your non-standard ssh port. I have the following:
Code:
$IPT -A tcp_inbound -p TCP --destination-port # -j ACCEPT
where # is the port number you have assigned to sshd (and $IPT is a variable pointing to /usr/sbin/iptables...).
Perhaps a bit elaborate but I find this setup allows access from anywhere while still being relatively secure. Perhaps if you run a professional server a non-standard port for ssh is not acceptable, but for home use this prevents 99% (or more) of the attacks on your server.
If you're paranoid you can also explicitly disabled passworded logins and force the use of authorized keys. If you're really paranoid you can setup a more complex iptables firewall that blocks anyone who makes three unsuccessful ssh login attempts (or something similar).