Secure your SSH infrastructure from the very first boot. Rotate keys and never trust a previously unknown machine. Never pass through a key-not-known prompt and do not get used to the identification-changed warning with a remote host.
See maintained post: https://free-pmx.org/insights/ssh-pki/
NOTE No tracking on the site. Full and current reStructuredText version linked from within.