I use port knock. Really helps against scans if you are the edge device.

If it’s public facing, how about dont turn on ssh to the public, open it to select ips or ranges. Use a non standard port, use a cert or even a radius with TOTP like privacyIdea. How about a port knocker to open the non standard port as well. Autoban to lock out source ips.

That’s just off the top of my head.

There’s a lot you can do to harden a host.

There’s a 40 year I.T. veteran here that still suffers imposter syndrome. It’s a real thing I’ve never been able to shake off

Whoops, shouldn’t have that bar assocation logo here either.