I never claimed it would make security better. I said it would reduce noise, and it does.

Good luck getting e.g. Ansible to work with that. At that point I’d just switch to a hosting provider with an actual firewall.

If you have a public IPv4 address and use port 22, you’ll see lots of login attempts. I wouldn’t worry about it, given that you’ve disabled password login. The only thing I would advise is to disable root login as well (if not done already). Edit: Just saw you’ve already disabled root login.

If you’d like to reduce the noise somewhat, consider changing to a randomly chosen high port. I’ve done this with my VPS and hardly get any login attempts.

Classic

The docs on DNS challenge are here, and a bit further down you can find the ones on wildcard certificates