Enable TCP syn cookies (which is a sysctl, but don't ask me which one, google for it), which apparently mitigates TCP flooding

Only allow your users SSH

And do the things the other posters suggested.