I use geo blocking to allow only the countries I work with (UK, USA, AU etc.). You can either deny or allow countries. Allow makes for a shorter list.
Also, SSH with certificates and whitelisted IP access only.
No extra users.
32 character passwords.
No sudo on the server...