Protecting SSH communications for your organization is fairly straightforward if you do some work. You need to use multiple layers. Here is our guide to protecting SSH:https://it.wiki.usu.edu/ssh_description
We try to use multiple overlapping security layers to protect SSH:
* If possible, use firewalls to limit the vulnerable scope of SSH to a few trusted hosts.
* Configure firewalls to limit credential guessing by rate-limiting connections to the SSH port.
* If possible, treat the SSH Port as a shared secret. Then, only interesting, targeted attacks find the SSH server. In many situations, this gives you very real protection. This protection is based on the very real increase in cost for an attack to find and attack an SSH server on an alternate, properly obscured port.
* The SSH server should not allow known usernames including root. The attacker must find a username.
* Motivated admins should use 2-factor authentication to access their critical SSH servers.
* Admins are trained to create good passwords for their usernames.
* SSH users should verify the identity of their systems when they first connect.
* System admins must regularly review the activity of their SSH servers.
* Security monitors all SSH connections, including ones on non-standard ports. We follow up on interesting connections.
* We have SSH Honeypots that help us track, understand and respond to SSH attack. These Honeypots allow us to track which credentials are being attacked. They give us advance warning when a institutional credential is attacked. And, analyzing the use of unique credential lists gives us insight into our attackers.
Much of this work can be automated. The rest is excellent training material for new security recruits and interns.
Looking back, the main change I should have made to improve our SSH protections would be to default block incoming TCP/22 at the border years ago. Then, only allow it for groups that can show they use it to provide services to a large community. Anybody using SSH for administration can change the SSH port.