The best advice is move sshd off of port 22, establish and configure your IDS and response, move sshd back to port 22.
I once considered doing that. Instead I firewalled the whole network and the only way to ssh into a box is to access via VPN (with password policies enforcement instead of certificates) and from there ssh into the machine.
If the VPN is down, tough. I'll have to have someone onsite to fix things.
Of course, one size does not fit all. This is the way we chose to do this at my place of work.
Oddly I've never seen evidence of someone trying to brute-force a vpn connection.