1. changing from standard port to a non-standard port
  2. disable root access to ssh
  3. disable password and switch to pub/private keys
  4. add a passphrase to the key pair
  5. firewall rule specifying allowed IP addresses