I usually configure sshd to listen on a non-standard port, at least for any server that faces the outside world. Doesn't do anything against a deliberate attack, but it does help in protecting against zero-day worms and such.