Domoticz

Actually it is relevant to SSH Hijacks because many attacks are successful because of leveraged kernel or application vulnerabilities, now were even starting to see CPU vulnerabilities eg Spectre for which there are now kernel patches.

I combine it with "unattended upgrades" to cover the system packages.

https://help.ubuntu.com/lts/serverguide ... dates.html

Obviously put SSH on a non-default port with either certificate auth or a very long complex password.

If you want to go the extra mile use port knocking.

Lucky me: https://www.raspberrypi.org/blog/why-ra ... -meltdown/

I always change port to above 5000 and make use of SSH_KEY.
And change some settings in sshd_config to

Port I-DONT-TELL
PermitRootLogin no
PasswordAuthentication no
UsePAM no

I'm a little confused, but did I got that right, that you left your ssh port of your pi accessible from the internet?
In my opinion, that port shouldn't be open at all. If I want to access the pi from outside, I would use a secured VPN connection.