SSH

Generate server keys
Modify file  and make sure that the only lines to contains HostKey are:

Restart
Restarting the SSH server while connected through SSH is usually safe. However, you need to take some precautions to avoid being locked out of your server. Make sue you do that from a stable internet connection: in case your SSH server doesn't restart correctly, you don't want your active SSH connection to drop while you fix the issue. If you are connected through SSH, test that your server restarting correctly by opening a second connection The  option prevents the SSH client from reusing your active connection in case you have multiplexing enabled.

Fail2ban
Fail2ban configuration for ssh is active by default in Debian. However, if you changed the listening port of your server, you must reflect that in fail2ban. To do so, create file  with the following content

Configure
For more information check secure secure shell from strikiba.

Generate user keys
This needs to be run by all users. It is strongly recommended to set a password to your keys. A passwordless keyfile is as secure as a post-it on the wall with your password. If a script need unattended access to another machine, create dedicated accounts and key for that usage.