Well, of course you have port knocking implemented on the port where your ssh server is active only after the port knock was successful. The script that handles the port knocking could start the ssh server and only allow traffic through if it comes from same IP address as the initial port knock, all the other traffic arriving on that port could be sent to the tarpit. Of course after 3 failed port knocking attempts, the IP where the attempts came from is blocked for ever increasing amounts of time, this combined with a tarpit can be extremely frustrating. Attempts to connect to port 22 (default ssh port) could, of course, by default lead to a tarpit.
Creativity can lead to fun situations. Have fun configuring your scripts and firewall. I’m sure you get the idea of what I mean by now.