I use this thing called sshd that listens on only a single port and its main advantage is that it uses actual cryptography to authenticate using a client keypair.
Fwknop uses HMAC keys so quite good crypto by itself, but it's for single shot commands. Good for keeping the ssh port locked until you actually need it. I use it on top of SSH key pairs as part of my layered security, Just as any good access control strategy should.