<= edit to the answer. -Changing service listening ports does not add security, it adds obscurity. Different EDIT: Isn't 'Security by Obscurity' still security? --- Edit: "Disable login passwords for remote users" is accepted answer, that means remote users can log in with no password... It's not secure. Edit: PasswordAuthentication=no does NOT mean users are allowed to login without password -- It means users are not able to login using ANY password, but may login using PubkeyAuthentication. 10/27/17 I agree that "Disable login passwords for remote users" should be a correct answer -- disabling password-based login in favor of PKI certificate-based login is a common hardening technique for Linux systems. For example, NIS 800-53 control IA-5 discusses this in-depth EDIT: You all are thinking hypothetical; the question clearly states that you are disabling login passwords thus allowing them to login with just a username. Another edit: As the question is asked, public keys are not understood to be part of it because the remote usage method is not specified, whether it be Telnet SSH or FTP. But I wholeheartedly have to disagree with the absence of "disable root user login" since that has been a common system hardening step taken since and before Ubuntu 5.04. EDIT: Why wouldn't you run as many vulnerability scans as possible as well. Corporate enterprises run vulnerability scans weekly if not daily to identify threats and misconfigurations. Sure, the arguement could be made for maybe false positives or network being traffic being high... but that all comes down to policy such as scanning at night for example and not when operational tempo is high, and to counter false positives turning tools and systems.