Why would you leave PermitRootLogin to yes? Doesn’t really matter, if root ca nit login anyways?!

Just like you don’t really need UFW, not really harmful and for piece of mind :)

But to be honest, I am no expert either. I look at your config and think, just leave everything at default besides these twos:

PubkeyAuthentication yes PasswordAuthentication no

Things like

MaxAuthTries 3

don’t matter for public key auth.

PermitRootLogin I would set to yes.

sudo systemctl restart ssh will only restart your ssh client and not the ssh server you try to restart. Use sshd insted.

I personally find it easier to use no root during setup and import my ssh keys from github using ssh-import-id.

UFW doesn’t harm, but if the host is on your Proxmox Hypervisor, it is probably behind a deny all incoming firewall anyway. That is also why I would leave IPv6 on.

Like other have noted, Crowdsec is a little bit more complex to setup but also offers more features. As a side note, Fail2ban is unfortunatly not IPv6 ready.