Change /etc/ssh/sshd_config. The AllowUsers and Match Address changes made in this example may need adjusting for local requirements:
root@localhost:/etc/ssh# diff sshd_config{.org,}
27c27
< PermitRootLogin yes
---
> PermitRootLogin no
51a52
> PasswordAuthentication no
87c88,100
< UsePAM yes
---
> UsePAM no
>
> # Blue Light changes to improve performance
> UseDNS no
> GSSAPIAuthentication no
> Compression yes
>
> # Blue Light extras
> AllowUsers root
> Match Address 192.168.10.0/24
> PermitRootLogin without-password
> Match Address 10.42.0.1
> PermitRootLogin without-password
Explanation of some of the above recommended changes
"PasswordAuthentication no" disables login via password, many sites recommend to then also set UsePAM to no. There was no clear enough reason worth mentioning here.
"UseDNS no" disables reverse DNS lookups to see if your hostname matches the IP-address you are connecting from. Does not make sense with dynamic IPs
"GSSAPIAuthentication no" not needed as we will be using private/public keys or passwords, not RADIUS, Kerberos, or any other http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface
"Compression yes" On fast machines this will enhance throughput
Change /etc/default/ssh
root@localhost:/etc/default# diff ssh{.org,}5c5< SSHD_OPTS=---> SSHD_OPTS=-u0
Warning: if doing this remotely, keep the existing ssh session open and test by starting a new one.
Enable the new configuration by service ssh restart