Depending on how you will be connecting depends on how you should configure this. I would strongly suggest just setting up a Wireguard server and connect to it via VPN. At the same time, exposing the port and using a pubkey with Fail2Ban would be the next best option, while always keeping your server patched with port forwarding a different port to the stand SSH port internally.
These are the simplest ways to do this and still be secure. Again, I strongly suggest setting up a private VPN of your choosing.
Depending on how you will be connecting depends on how you should configure this. I would strongly suggest just setting up a Wireguard server and connect to it via VPN. At the same time, exposing the port and using a pubkey with Fail2Ban would be the next best option, while always keeping your server patched with port forwarding a different port to the stand SSH port internally.
These are the simplest ways to do this and still be secure. Again, I strongly suggest setting up a private VPN of your choosing.
WireGuard Installs - https://www.wireguard.com/install/
WireGuard Docker - https://github.com/wg-easy/wg-easy