An option would be block SSH port (except to other servers) and whitelist the customer IP when they want to login. Just have it automatically whitelist when they log into the panel and attempt login via SSH with a manual option in case of logging into panel from a different location than SSH. When SSH session ends wait x time and if no new session, remove whitelist entry.
Then 2FA in enhance itself also covers SSH.
I think after the firewall feature arrives this shouldn't be too hard to implement
