A vulnerability scan finds that an administrative SSH service on a Linux server is listening on 0.0.0.0 and is reachable from the internet. The server is meant to be managed only from the internal admin subnet. What is the best remediation?

Patch the SSH client on administrator laptops so the server cannot be reached externally.

The issue is server exposure, not the administrator laptops' SSH client software.

Enable a captive portal on the public interface so only authenticated users see the service.

A captive portal is not an appropriate control for SSH administration traffic and does not adequately protect a management service.

Replace SSH with FTP because FTP can be configured to allow administrative access more easily.

FTP is less secure than SSH and would make the exposure problem worse, not better.

What does this SY0-701 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Restrict SSH to the management network and block public access with firewall or host-based rules. — The best remediation is to restrict SSH to the management network and block public access with firewall or host-based rules. The server should not expose administrative services to the internet when management is only required from an internal subnet. This reduces attack surface immediately and prevents brute force, exploitation attempts, and accidental exposure while preserving legitimate admin access. Why others are wrong: Patching administrator laptops does not address the exposed server service. A captive portal is not a valid control for secure SSH management. Replacing SSH with FTP would weaken security because FTP lacks SSH's encrypted, authenticated management protections and still would not solve the public exposure issue.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.