I maintain an SSH bastion server for all my beloved VPSes. The server I host this blog on only accepts SSH connections from the IP of that bastion, and I keep that bastion hardened. It's a minimal Alpine install with nothing but an SSH server.
So I felt some dismay when I found the server got a score of F on sshaudit.com. I got an F! My bastion failed 2 of 5 host key tests, 4 of 9 key-exchange tests, and 7 of 10 MAC tests.
These are the steps I took. Although I'm on Alpine, I was able to cherry pick commands from the Debian-focused server guides hardening guides on sshaudit.com.
TLDR provided below the cut, with some script script to do the work for you.