(no title)

2) if you can, require a certificate to connect rather than a password

3) disallow root to ssh and then IPban anyone who tries to login as root

I use this http://www.maht0x0r.net/denial.html

I wrote it a long time ago, I might do it slightly different now but it's been running for 5 years or so.