Securing an ssh server with fail2ban
There are all kinds of ways to secure an ssh server, with varying degrees of increasing security and decreasing flexibility. For example by limiting your server to only accept connections from certain known IP's, you are secure from random hackers on the internet, but you lose the ability to connect to your machine from anywhere you want to. Perhaps while travelling, for example.
Port knocking and listening on a high numbered non-standard port. make it harder for an attacker to even start trying to hack your connection. But this also requires you connect with a machine that you have the knock program installed on. Again, less convenient, more secure.
However, once an attacker does find your port there's nothing to stop brute force password hacking. If you look in your log file, you should see people connecting to your ssh port quite frequently and trying password attacks.
cat /var/log/auth.log
If you have a secure password then it would require days of brute force hacking to gain access to your ssh account, but even so, if you don't watch your logs then it's perfectly possible somebody will gain access eventually.
Brute force attacks can be limited using fail2ban. There's a great article on setting it up here. This program will scan your auth.log for you, using a regular expression to find failed password attempts. On a specified number of failures from a given IP, it will then modify the iptables on your machine (the firewall), to lock that IP out for a specified time.
Now instead of watching your auth.log fill up with reams of failed passwords, you'll see a greatly reduced amount of brute force attacks, and you can watch your fail2ban log file fill up with the IP addresses of hackers.