I don't think shutting down ports would have done him any good as long as he kept 22 open.  My vote is for root access through SSH + easy root password.  Really though it was a CF all around, and changing any one of several things could have prevented the attack.

Really, though?  Who the HELL puts a machine on the Internet allowing root access through SSH?!  And without, like, a 15+ character password?  ALWAYS use sudo, ALWAYS use difficult passwords for all sudoers, ALWAYS have somewhat obscure usernames for valid SSH logins (not "john" or some crap).