The first things I do with sshd on any machine are 1) disable remote root login and 2) disable password login.
plus move it to a high non-standard port
Our fail2ban processes were using a not-insignificant amount of resources while sshd was listening on port 22. Moving to a high port shifted it to somewhere in the "dead last" range in the CPU time column.
The first things I do with sshd on any machine are 1) disable remote root login and 2) disable password login.