* Security
** Switch APT to HTTPS
~sudo sed -i 's/http:/https:/' /etc/apt/sources.list~

Granted, the repository signature provides enough protection; still,
no sense in wasting bandwidth and CPU if someone is meddling.
** Tweak root access
On OVH's Debian image:
- The =root= account has no password.
- =PermitRootLogin= defaults to =prohibit-password=: set it to =no=.
** Enable fail2ban
~lastb~ says there's about 4000 login attempts per day; that makes
=/var/log/btmp= much bigger than it needs to be.

Debian's fail2ban comes with a jail for ~sshd~, so it's just a matter
of ~apt install fail2ban~.
** Tweak user accounts
=debian= seems mildly popular among bots looking for valid usernames.

Ideally I'd just rename the =debian= account, but renaming does not
seem to be a very well-defined operation.  ~usermod --login $name
--move-home --home /home/$name debian~ gets partway there, but leaves
a bunch of miscellany to take care of (e.g. sudoers).

So instead, I'll
- create my own user account: ~sudo adduser $name~
- add it to all groups =debian= belongs to:
  #+begin_src sh
  groups=$(groups | sed -e 's/ *debian *//' -e 's/ /,/g')
  sudo usermod --append --groups ${groups} $name
  #+end_src
- only allow password authentication over SSH for this new user
  account:
  #+begin_src conf
  PasswordAuthentication no
  Match User …
  	PasswordAuthentication yes
  #+end_src