Using a non default port is not the solution, because history has learned that security by obscurity never worked.....
It's not "security by obscurity", moving the default port is just to not see all that garbage in the log files - as the automated scripts don't check for ssh on different ports than 22.
People get those fixed ideas and it is difficult to get rid of them. Of course you should not rely ONLY on obscurity to secure your server. But using a non-standard port effectively defeats *the vast majority* of attacks, which never try other than the standard port. I went from thousands of entries in the logs to NONE.
And save cpu cycles by not having to answer to those requests.
YES!
1: Use Iptables or other firewall in front of server, to only allow a selected group of "trusted" Ip's to access the server trough SSH.
Well, that is not always possible or wanted.
Of course! In my case it is not even possible.
2: Enforce Public / Private key Authentication, so that only the users with a valid key can access the server.
And yes, you shouldn't be using ssh with password authentication, true.
Yes! Use only authentication with an encrypted key, e.g. a public/private key pair.