/var/log suspicious entries
Solution 1:
Do you need access to this host from multiple locations? Or can you use a jumpbox that has a static IP? If this is the case, you can set an iptables rule that only allows SSH access to a specific IP(s). This will give you implicit deny to anyone except the static IPs.
The other recommendations would be to change the service to listen on a non-standard port, disable root authentication, and configure fail2ban.