I think that the single most-important thing to do is:
do not directly expose ssh. There's nothing "secure" about the fact that it is
a shell.
Your outer bastion of defense should be OpenVPN with one-of-a-kind digital certificates and
tls-auth, as I describe on my blog here. Use this to create a
secret(!) outer door, and arrange for SSH and all other services (other than, perhaps, http(s)) to listen
only to its gateway port. Use firewalls to make damn sure they can't talk directly or be talked-to.
Once you do
that, something very dramatic happens: the number of unauthorized access attempts drops to
zero and stays there. Anyone who "port scans" your computer, even suspecting that you're running OpenVPN there, will perceive that nothing's there. You can't attack a computer if you can't
find it.