[middleca]

Came here to say +1 to this, definitely employ a bastion host and make sure that's the only way to SSH to your servers. This can be a little tricky to do correctly if you don't have someone on your team, but it's a valuable way to reduce your surface area to monitor.

Installing fail2ban is also a very basic / smart way to discourage brute force SSH attacks on your boxes. Also you could try piping your SSH logs into something like papertrail / slack, so you have clear visibility into who's logging into your servers, etc.

[figgis]

On fail2ban, I have had more success in being able to stop attacks quickly by using SSHGuard. Quicker easier setup, easier to understand, etc. Is there a significant reason to use fail2ban over sshguard?

[IsmaOlvey]

fail2ban still doesn't have IPv6 support.

If you use IPv6 (and you should, if possible), it's better to use an alternative that supports it (e.g. SSHGuard).