I don't get it, wouldn't you use ssh keys and also just move it to a different port anyway to save the annoyance of random scriptkiddy pokes all the time?

Moving the port away from 22 changed my fail2ban logs from hundreds of lines a day to one every few weeks at most.

While you shouldn't skip on other security measures, there's no real downside to changing your SSH port and getting off the target list for a lot of botnets.

(As opposed to e.g. port knocking, which is stronger but makes it easy to lock yourself out and may create issues with some SSH clients.)

Making it explicit: try to always use keys for ssh, avoid passwords. If you have to use passwords, make it very long (20+ chars) and random. Don't use dictionary words or reuse passwords from anywhere else.

Yep, and I always additionally just disable pw authentication altogether, and set PermitRootLogin to either No or without-password.

You can also do things like firewalld off (or with hosts.allow) 22 to just an ssh bastion/jumphost src (or your house IP), but I find that’s usually not necessary (although an excellent further step if you are a bit paranoid) as long you do what was mentioned in first paragraph.

There's other reasons to use a different port. I move it to cut down on the failed login attempts (yes they'll never succeed given I only allow keys) but they clutter the log so I can't tell if I'm actually being targeted or not. On an obscure port if I do see attempts I know something serious is going on.