Normally, SSH from default settings are open for local area network. Hence, there are a lot of settings not ready for Internet communications. Hence, one should harden the SSH server before exposing it to the Internet.
These are the identified threats related to Debian Software.
By default, SSH Port 22 is hard-coded and well-known externally. Hence, it is easy for attacker to attack the port by simple identification.
By default, SSH listens to all network interfaces.
By default, SSH permits root login.
By default, SSH permits empty password authentication.
By default, SSH uses Protocol 1 for backward compatibility.
By default, SSH enables a list of its supported services.
By default, SSH allows authentication via user's password.
By default, SSH may not use PAM to manage user's authentications.
By default, SSH does not have a list of users and user groups for authentications.
By default, all SSH users can modify root system.
Here are the list if actions to counter the issues.
Of all the listed threats above, one should harden the SSH Server after installing it into Debian.
That's all for hardening Debian by hardening SSH server.