Use a Bastion Server
This is an advanced topic.
A bastion server is an extra machine whose purpose is to allow access to needed services (such as ssh). Typically, external internet access is directed to the bastion server (e.g., ssh), and then the bastion server can then reach a more sensitive server (with another password or other security measures).
More sensitive machines such as a web or email server can be configured to allow access (or not) only from the bastion server, thus providing two-level security, with one password required for access to the bastion server, and yet anothr password required to acces the main server.