[icedchai]

Every little bit helps. I have hosts I access from "where ever."

[fencepost]

It's fallen out of favor these days, but if you're running on firewalls that can be configured for port knocking consider doing that. A non-sequential knock pattern that unlocks the remote IP for X amount of time can prevent a ton of grinding attacks.

[romeisendcoming]

Add a TLS auth channel to the portknock with a wait window and OTP and you are really in business with this approach.