Making it explicit: try to always use keys for ssh, avoid passwords. If you have to use passwords, make it very long (20+ chars) and random. Don't use dictionary words or reuse passwords from anywhere else.
Yep, and I always additionally just disable pw authentication altogether, and set PermitRootLogin to either No or without-password.
You can also do things like firewalld off (or with hosts.allow) 22 to just an ssh bastion/jumphost src (or your house IP), but I find that’s usually not necessary (although an excellent further step if you are a bit paranoid) as long you do what was mentioned in first paragraph.
