I recommend adding something like
AllowGroups wheel staff
to
/etc/ssh/sshd_config. See
sshd_config(5) for a description. That provides a nice additional layer of protection, just in case one of the standard users gains a weak or null password (which really should not happen, but it's still nice to know that ssh is limited to only the real users who actually need it, following the security best practice of "deny all, permit specific").
It should also go without saying that the default
PermitRootLogin no
should never be opened up on a host which allows access from a large chunk of public address space. Even with things like fail2ban, any password can theoretically be brute forced by a suitably persistent attacker willing to throw (stolen, illegally used) resources at it, and they do keep trying root (according to my logs) despite it being blocked by default in most modern operating systems / ssh daemons. With root blocked, they need much more to get a full compromise (username of a wheel user, that user's password, then the root password), unless something has been added to let them get direct to root from the wheel user. Keep your wheel users minimised, to people who actually have some reasonable understanding of security.
Yes I agree, my point though is that the passwords I showcased are already of such complexity that brute-forcing them over a network connection is not feasible because of the large enough turn-around time for each guess attempt.
Strong passwords just make it harder to brute force, they don't prevent it. It becomes feasible if the attacker is willing to spend a long time slowly working at it using a vast number of compromised hosts or dynamic address space. With IPv6, each host could have between 2^64 and 2^80 addresses, and it becomes harder to reliably ban specific problem hosts by address (you have no way of knowing if a host's address is a /48, /56, /64, or /128, so essentially impossible to reliably ban just the problem host without collateral damage). If the host has
RFC 4941 enabled, the network stack kindly takes care of constantly changing the source address to random numbers within the same subnet.
Your examples are certainly difficult to brute force, but not impossible. Don't use FIPS 181, or similar, on its own (not that those looked like FIPS passwords, they just reminded me of that approach), without further protection… FIPS 181 actually makes it easier to brute force, if the attacker suspects that it is being used, over systems using the full range of strong passwords.