Hi Bernd,

on top of the valuable responses so far, I'd recommend to set this up as an additional sshd, with its own configuration, that will only permit those well-known users by name (see "AllowUsers" option for sshd_config). Restrict the "standard" sshd to internal interfaces (option "ListenInterface") and the extra sshd to the Internet interface.

Or to make things more secure - could you set up a "jump host", completely separate from your application host and reachable via ssh from the Internet, that will only allow an outgoing ssh connection after a second-factor authentication?

How hard do you need to make things, how valuable is your content?