SSH:

• Don't allow root to login

• Don't allow ssh passwords (use private key authentication)

• Don't listen on every interface

Create a network interface for SSH (e.g eth1), which is different to the interface you serve requests from (e.g eth0)

• Don't use common usernames

• Use an allow list, and only allow users that require SSH Access

• If you require Internet Access...Restrict Access to a finite set of IPs.

• If possible find a way to connect without Internet Access.

• Use software like fail2ban to catch any brute force attacks

• Make sure OS is always up to date, in particular security and ssh packages

Application:

• Make sure your application is always up to date, in particular security packages

• Lock down your application 'admin' pages. Many of the advice above applies to the admin area of your application too.

• Password Protect your admin area

• Lock down file permissions. 'Upload folders' are notorious for being entry points of all sorts of nasty stuff.

• Consider putting your application behind a private network, and only exposing your front-end load balancer and a jumpbox (this is a typical setup in AWS using VPCs)