I've used fwknop to hide the ssh port entirely. Similar to port pattern knocking, it inspects and drops packets to make it look like a closed port until the signed packet is received then opens the firewall port for a set duration. Get your ssh connection set up and let the firewall close behind you.
It doesn't just have to be for remote access from the internet. You can also use this kind of setup internally. The university I worked at did this for their network management. They put the management interfaces of all their networking equipment into one isolated vlan then used two bastion boxes for access to them (vty access restricted to these two systems). This gave access control, full logging, access to management scripts and no worries about using telnet for accessing switches, routers an AP's.