I would say, quite bluntly, that you should first(!) set up OpenVPN ... with unique digital certificates, not passwords == PSKs ... and to arrange for all other services to "listen" only to it, so that there are no other ports open. (And, as I describe in my thread about "Dwarvish Doors" on the Security forum, you can conceal the fact that it is open.)
Authorized users, having first connected via VPN, can then use other services like SSH.
Unauthorized users and "kiddies" find: "nothing." Even if they can detect that the port exists, they can't get through it no matter how hard they try. (Even if they steal a laptop, that certificate can be made to drop dead.) There is "a smooth, impenetrable, featureless wall."