Easy to do with known internal networks.

Difficult to manage when roaming.

Disable password auth.

Enable key only auth.

Add in TOTP 2FA (google authenticator).

Randomize the port (reduce bots) that forwards to 22.

Configure lockout to block upon 3 failed attempts, for a long duration like 1 year. (Have a backup access on LAN).

Ensure only the highest encryption ciphers are accepted.

Ensure upgrades are applied to sshd at least monthly.

How is a VPN service more secure than an SSH service?

Both accept login.

Both provide can be brute forced / if using password.

Here be dragons