Recent OpenSSH 4.x support restricting root to key-only auth; that's how it's set up by
default in ALT Linux 4.0. Previous ALT releases used to "PermitRootLogin no" and recommend
sudo/su -- preferably with separate user in wheel group since one of control(8)-ed settings
for /bin/su and /usr/bin/sudo file permissions is "suid, executable by wheel group, no world
perms at all".
I think I've heard of 1 (one) case when unsuspecting ALT Linux user would get his root account
bruteforced -- due to offline system with easy password and manually enabled remote root login
being brought online.
Still AllowUsers/AllowGroups is basically a must on multiuser systems where not literally
everyone must have remote access; as mentioned, IP filtering and weird port are also worthy
things to consider doing, depending on one's situation. Port knocking techniques sometimes
come handy too.