1. Connect as root

# may prompt you for a provided password if not already configured with ssh key
ssh root@[ip]

2. Upgrade packages

apt update
apt upgrade
# restart if there's a kernel upgrade
reboot

3. Set root password

passwd

4. Create non-root user

# if user doesn't exist
adduser [username]
# if user already exists, but password needs to be set
su - [username]
usermod -aG sudo [username]

5. Add ssh key for non-root user (if not already configured)

mkdir ~/.ssh
vim ~/.ssh/authorized_keys
# add your public key to the file

6. Disable password and root login

sudo vim /etc/ssh/sshd_config
# set/add PasswordAuthentication no
# set/add PermitRooLogin no
# may also need to check in /etc/ssh/sshd_config.d
sudo service ssh restart

7. enable automatic upgrades

sudo dpkg-reconfigure unattended-upgrades