All following configuration takes place in /etc/ssh/sshd_config. Be sure to look for existing statements, since in most cases chances are that the configuration option already exists in your default sshd_config.

Disable Root Login

You might want to disable root login with:

PermitRootLogin no

But in some settings, you still need direct root login without sudo for some purpose (often for remote scripting). In these situation, permitting root login only for public key authenfication might be a solution:

PermitRootLogin without-password

Disable X11Forwarding

If you do not want to use X11 forwarding, you should disable it altogether by setting

X11Forwarding No

. While X11 is not a real danger for your server, it may cause users to unwillingly reveal private data because a remote client can spoof on the local X server, e.g. capturing passwords as they are typed.

Putting sshd on a non-standard port

This is security by obfuscation only and is of little value if someone uses port scanner to check, whether a ssh daemon is running on a non-standard port. Anyway, it can be useful if you need to access your server from somewhere, where TCP port 22 outgoing is blocked. Just extend your sshd_config:

Port port
ListenAddress 0.0.0.0:port

Note: If you still want the default of 22, you must specify it explicitly now, since you have a differing port already configured.

Changing the MOTD (Message Of The Day)

To change the MOTD, edit /etc/motd and /etc/issue. In theory issue is printed before the login, while the MOTD is printed after a successful login, but this applies more or less loosely in most modern systems.