VPS VNC text-console interfaces are essential

anyway, if you set up wireguard, this is a great tool: https://github.com/angristan/wireguard-install

you can then have your SSH only listening on that address, with this line in the [Service] section of your VPS's sshd.service:

After=network.target network-online.target wg-quick@wg0.service

so it always waits for the wireguard service to start the listener before it tries to bind to the tunnel address

with these things in place you can eliminate all unwanted attempts to access your elliptic curve key access only method enabled so you don't have syslogs full of idiot bots trying all the common passwords to break into your SSH, they can't even get connected unless you set up a wireguard tunnel and gave it to them, similar to how a nostr relay can enforce access by auth