Move the port to a high port. Install fail2ban and set it to ban quickly. The downside of that is if you fat finger your login more than a couple of times it might ban you. I have whitelist on mine of the IP addresses I know I will be logging in from. I also run TCP wrappers which far too many people screech about it being depreciated. it works and also if set up properly logs all login attempts. I get about three or four a month on my random high port. Of course most of this depends on you trying to gain access from known addresses or subnet.

I only have the ssh login as a backup. I run wireguard with the ports set to something other than the default port. It allows me to gain access to my home network quickly. While its always possible there might be some bug that would allow someone to access it in the future it works as well as any other solution.

I run pfsense as my router on a small form factor PC with two Ethernet cards. I run Wireguard which is pretty easy to setup in pfsense. I have the client installed on my PC at work and my mobile devices. I’m never more than a click from being connected to my home network.

In the past I used ssh tunnels with port forwards to the services I wanted to access remotely.

Some pretty easy work arounds.

Edit: Okay since I got the downvote. The easiest way to overcome this garbage is to make it appear that all traffic is coming from the local network. This is really trivial these days. Just use a a tunnel/vpn. I recommend wireguard for how simple the client operates. The client is available for many platforms including crapple devices and android.