PCI Compliance report from COMMODO complain about OpenSSH version available in Ubuntu 16.04.
This version have all security updates back ported. Installing OpenSSH from source is bad idea as you have to manually upgrade to latest version when new version is released.
Since PCI Compliance require new version of OpenSSH, i installed from source. It is better to LIMIT SSH access to your own IP using firewall or hosts.allow/deny rules.
apt update && apt install -y build-essential libssl-dev zlib1g-dev
Download latest version of OpenSSH source code from one of the mirrors.
Download and install with
tar -zxvf openssh-7.6p1.tar.gz
make clean && make distclean