By default, ssh listens for incoming connections on port 22. So if a hacker wants to attack your machine he will most likely scan port 22 first. Just to make an idea how important is this (from my point of view of course), before changing the default ssh port for my server I got every day 1000+ login tries for my root user. An effective (but minimal) method to protect your machine is to run ssh on non-standard port. Any unused port will work but one above 1024 is preferable.
Step1 - edit ssh config
Open ssh config file:
$ vi /etc/ssh/sshd_config
or you can use any editor you want.
Step2 - change the port
Add the custom port by adding the port you want to use, e.g. 2987:
Save and exit the file.
Note: make sure you note the port somewhere, just in case you forgot it :-)
Step3 - restart the service
Restart the ssh service:
$ systemctl restart sshd.service
Step4 - change the firewall rule
Don't forget to change the firewall rules:
$ firewall-cmd --add-port 2987/tcp --permanent success $ firewall-cmd --reload success
..and we are done. Other security change you can do is to change SSH to use Protocol 2.