SSH is the front door to your VPS. Beyond using keys, a few extra settings in /etc/ssh/sshd_config tighten it further.
The essentials
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 30
Limit who can log in
AllowUsers deploy admin
Only listed users can connect — a simple, powerful restriction.
Consider a non-default port
Moving SSH off port 22 (e.g. to 2222) won't stop a determined attacker but dramatically cuts automated scan noise in your logs. Remember to open the new port in your firewall first.
Modern ciphers
Prefer strong key exchange and ciphers, and disable weak legacy algorithms. Use Ed25519 keys, which are modern and fast.
Apply changes safely
sudo sshd -t # test config
sudo systemctl reload ssh
Keep an existing session open while you test, so a mistake never locks you out. Layered with fail2ban and a firewall, your SSH is now very hard to attack.