sshd is the OpenSSH implementation of an SSH server.

Debian: openssh-server

Done through /etc/ssh/sshd_config or drop-ins at /etc/ssh/sshd_config.d/:

Test your config with sshd -t

Use AllowUsers user1 user2 to restrict SSH access to certain users. This works like a whitelist.
Match groups with AllowGroups group1

Add this to your sshd_config or a drop-in config file in /etc/ssh/sshd_config.d/:
PasswordAuthentication no
AuthenticationMethods publickey

This is useful to have a second layer to your ssh login besides keypair auth.

First, install libpam-google-authenticator to enable TOTP support for PAM.
Edit /etc/ssh/sshd_config and add/modify the following lines:
UsePAM yes
ChallengeResponseAuthentication yes
KbdInteractiveAuthentication yes
AuthenticationMethods publickey,keyboard-interactive:pam

In your /etc/pam.d/sshd, comment out @include common-auth and add a line below it:
auth required pam_google_authenticator.so
This will disable regular password auth (keypair auth is already required) and enable TOTP authentication.

See also https://wiki.archlinux.org/title/OpenSSH#Authentication_providers

You can rate limit IPs with failed authentication attempts using the PerSourcePenalties option.
Example config: persourcepenalties crash:90 authfail:5 noauth:1 grace-exceeded:20 max:600 min:15 max-sources4:65536 max-sources6:65536 overflow:permissive overflow6:permissive

See https://man.openbsd.org/sshd_config.5#PerSourcePenalties for the full config.