move note

md/debian_server_setup.md

@@ -58,8 +58,6 @@ chown -R ${MYUSER}:users /home/${MYUSER}/.ssh
 
 > **Note** modern Debian SSH sets root login to SSH key only, this section may not be necessary
 
-> **OVH** their cloud-init opens up password SSH and allows the user to sudo without password, see `/etc/ssh/sshd_config.d/50-cloud-init.conf` and `/etc/sudoers.d/90-cloud-init-users`
-
 **If the above is successful** and you are capable of gaining full root privileges via the non-root SSH session using sudo, now disable root logins in SSH from the outside world for an additional security layer. The `root` account still remains usable, just not via _direct_ SSH access.
 
 The task is to set `PermitRootLogin no` - the setting varies from one provider to another, sometimes it's already set (either yes or no), sometimes it's commented out. This small scriptlet should handle these 2 most common cases, **be careful** and investigate for yourself:
@@ -81,6 +79,8 @@ systemctl restart sshd
 
 **Test logging in again** to ensure the changes are as expected. Do not log out of the active, working SSH session as root until you've confirmed in _another_ session you can log in as your non-root user and still gain `sudo` to root.
 
+> **OVH** their cloud-init opens up password SSH and allows the user to sudo without password, see `/etc/ssh/sshd_config.d/50-cloud-init.conf` and `/etc/sudoers.d/90-cloud-init-users`
+
 
 ## Server Hardening