If I'm running an SSH service which is visible to the Internet (or even a large intranet), I tend to disable PermitRootLogin (
PermitRootLogin no), because the script kiddies can be reasonably sure that an SSH service will have a user called root, and if they try hard enough, they might get lucky with the password.
(I'm also a big fan of the
AllowUsersoption, which allows you to provide a list of users allowed to log in via ssh. If a valid user not on that list tries to log on, ssh acts as though the user has provided the wrong password.)
The new (new to me, anyway) trick in this tutorial is setting
PermitRootLogin without-password. This allows root to log in with a key, but not with a password. This is a really good compromise if you have a server where you need root to be able to log in over ssh. Backups over rsync are a good example of this: to preserve file ownership and permissions, it's sometimes necessary to have rsync run as root.