[pixl97]

>I'd argue that port-knocking, SPA, and changing the port are not cost-effective.

Changing ports is very effective, at least at reducing noise. This is especially true when setting up a new service with no preexisting clients. Default port 22 is an ocean of noise and constant password attempts, no reason to fill up my log servers with millions and millions of attempts per year.

[Tinned_Tuna]

fail2ban and similar tools are standard, widely used, quick to configure, and very effective at removing noise. You won't need to hassle to configuration of any new or existing clients, vulnerability scanners, etc.