SSH provides encrypted remote access, file transfer (SFTP/SCP), and tunneling. Replaces insecure Telnet. Key-based authentication is more secure than passwords.
Disable SSH password authentication (key-based only). Restrict SSH to jump/bastion hosts — no direct SSH to production. Rate limit and monitor SSH logins. Fail2ban blocks brute-force SSH attempts automatically. Change default port reduces automated attacks.