Technically you can do this however you want, but if you want to do it right: https://tools.ietf.org/html/rfc6335#section-6
Select a port from the Dynamic/Private/Ephermeral range. Set a port forward up from an external port between 49152 and 65535 to 22 of Ubuntu machine.
Or knockd is a clever option - I'd rate it above random ports as it is IP specific...
Still too much hassle in my opinion and key based auth on port 22 is perfectly sufficient, but it's an option...
For me, remembering the damn port and typing -p 12345 on the end of every ssh or scp command is far more bother than it's worth.
run an OpenVPN instance
1 - Custom SSH Port
2 - Disable root login and use another somewhat random username (not necessarily characters, just not something like "admin").
3 - Firewall including bruteforce protection i.e: ConfigServer Security & Firewall
Done.