I prefer to disallow ANY root logins with or without public/private keys. I only allow one regular user to login using a cryptic password or key. I log in as a regular user, then su to root. (Two levels of authentication to root!) I cannot disable PasswordAuthentication, nor restrict the IP address as I need to access my server remotely from any computer. I do use private/public keys from my primary workstations.
Then I install fail2ban to take care of the idiots that WILL attempt to break in to my servers.
Will look into CSF/LSD as a replacement to fail2ban.
There is no one way to do it as different people have different requirements.