

Does it need to be exposed to the internet? Putting it behind a vpn would be best.
Besides that, just make sure only the users you need to have access to ssh logins, and use keys for extra hardening. Keep your system updated. Limit that system’s access to other systems on your network, so if it is compromised, they can’t use it as a pivot point for the rest of your setup.
The other commenter’s suggestion of fail2ban is also solid.
Well I came here to chew bubblegum and talk shit, and I’m all out of bubblegum.