Change /etc/ssh/sshd_config.  The AllowUsers and Match Address changes made in this example may need adjusting for local requirements:

root@localhost:/etc/ssh# diff sshd_config{.org,}
< PermitRootLogin yes
> PermitRootLogin no
> PasswordAuthentication no
< UsePAM yes
> UsePAM no
> # Blue Light changes to improve performance
> UseDNS no
> GSSAPIAuthentication no
> Compression yes
> # Blue Light extras
> AllowUsers root
> Match Address
>       PermitRootLogin without-password
> Match Address
>       PermitRootLogin without-password

Explanation of some of the above recommended changes

"PasswordAuthentication no" disables login via password, many sites recommend to then also set UsePAM to no. There was no clear enough reason worth mentioning here.

"UseDNS no" disables reverse DNS lookups to see if your hostname matches the IP-address you are connecting from. Does not make sense with dynamic IPs

"GSSAPIAuthentication no" not needed as we will be using private/public keys or passwords, not RADIUS, Kerberos, or any other

"Compression yes" On fast machines this will enhance throughput

Change /etc/default/ssh

root@localhost:/etc/default# diff ssh{.org,}

Warning: if doing this remotely, keep the existing ssh session open and test by starting a new one.

Enable the new configuration by service ssh restart