I have an SSH server connected to the internet on the default port and have never experienced issues..
- tcp_wrappers (ie. hosts.allow hosts.deny) for SSH.. I dont think there is an SSH out there that doesn't have support compiled in it
- iptables this in conjunction with tcp_wrappers eliminated about 99% of my random port scans/bruteforce attempts.. the only problem is you need to know where you'll be connecting from in order to allow those IP/IP ranges... I simply did a lookup on popular providers around my area to see their IP ranges and allow those.. most scans seem to come from far away lands :)
- PermitRootLogin without-password (ie. only RSA/DSA key pairs that are encrypted with a pass-phrase) works wonderfully for automated tasks.. when I login to interact I obviously use my account (regular) which is configured with sudo access
- sudoers
- constant updates.. I update this box frequently with all security/critical updates
- password/passphrase changes
- run chkrootkit every now and again to see if I've got any issues.. (there are several out there that perform this function)
hope it helps!