No root login, no password login, public key only. This should make ~100% of ssh attacks futile. If you don't want to see many failed login attempts in your logs, listening on a completely random 5 digit port and has worked well for me. You can specify the port in ~/.ssh/config so you don't have to type it every time you log in.