@mattwilcox I mean, nothing's foolproof, don't get me wrong. But one quick-and-dirty thing you could do is a jump server behind a VPS firewall. Linode* for instance has a cloud-level firewall and web-based terminal access, which you can lock behind your account (and thus your MFA). That kind of thing could give you access to a terminal with a static IP. I think a few VPS providers have similar features.
*not sponsored but I've done appearance work for them in the past.
@vkc Thanks - that's for sure something I'll look into. A lot of this is a "past my level" tbh, but I'm the only person around to do things.