You just need to turn off password authentication so it's keys only. They can attempt logins all they want and never get in.
Also if you run ssh on a nonstandard port you get many fewer attempts. There are several groups that constantly scan all of ipv4 for open ports, if you use ipv6 they cannot scan that space anymore.
Optionally you can set up fail2ban but I find it's not a big deal.
I changed my SSH configuration to only listen on an IPv6 address 6 months ago and since then the number of SSH attacks has fallen from 1000+/day to less than 10/week.
Also if you run ssh on a nonstandard port you get many fewer attempts. There are several groups that constantly scan all of ipv4 for open ports, if you use ipv6 they cannot scan that space anymore.
Optionally you can set up fail2ban but I find it's not a big deal.