There is little evidence that the "SSH reachable over sim in early boot" issue could be the cause if you see multiple ssh sessions.
You can use the firewall to enable remote ssh/http/https access from a limited list of IP source address only, the ones you use to administer the router. For example:
# allow known sources
iptables -A INPUT -s good_ip_addr -p tcp --dport 22 -j ACCEPT
# allow access from local lan
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
# reject everything else
iptables -A INPUT -p tcp --dport 22 -j DROP
Idem for ports 80 and 443.
You can also disable password authentication in ssh, but be sure to add your trusted keys before.
A better solution would be to setup a VPN between the router and a system you have full control of and only allow remote access from this source.
Regards,