With fail2ban setup and ssh auth with only keys and PermitRootLogin no, you don't even have to worry about the pentesting bots.