What has been effective for me:
As others have said, no root login, PasswordAuthentication set to no (only login w/keys) in sshd_config
Only one or two users allowed to log in via ssh and they've got quasi-obscure names that aren't on common brute-force tool user name lists (i.e., not "admin" or "apache" or "web" or "johnny")
Restrictive firewall rules (basically, everything's blocked but my service port and ssh). I even restrict ping, to ward off the more crude scans (much to my partner's chagrin).
On my web host, I do restrict access to a specific few IP addresses - but this looks like it's not an option for you. Certainly can't do it myself on all of our hosts. You may also want to look into "port-knocking."
And my favorite: OSSEC's active response module to block a number of brute force conditions and alerts on other errors, too. It detects x invalid logins in y amount of time, and then blocks (via an iptables firewall-drop command) for a certain period of time. I'm blocking for about 12 hours now for fun. :)
One thing I do here to make sure I don't block too much of the wrong thing, is that in /etc/ossec.conf, I set active response to a high level (that doesn't exist in default configuration) and then go through the sshd_rules.xml and set the rules I want to block to that level and modify thresholds for block vs. alert as needed.
If you're running Apache, you can block stuff that violates apache-rules, too. I don't block on these just because of the NAT issue, I want to think about blocking an entire university or something. :) In addition, you can write custom rules to block on certain conditions in log files, which can be really helpful.