Port 22 open to the whole internet is the most common foothold attempt on any server, and the one almost everyone leaves open because the alternative, an allowlist, breaks the moment you change networks. A roving IP allowlist fixes that.
Run any server with SSH on a public IP and within minutes you have bots from every corner of the internet trying root, admin, and a dictionary of usernames against your 22. Your auth.log fills with noise. Key auth holds the line, but the surface is global: anyone, anywhere, gets to attempt a connection, and if a private key ever leaks, it works from any IP on earth until you notice and rotate.
The clean answer has always been an allowlist: deny 22 by default, allow only the IPs you trust. The reason people do not is operational. Your IP is not stable. You work from the office, then home, then a hotel, then a coffee shop, and a hardcoded ufw allow from 203.0.113.x is wrong the moment you move. So the allowlist either goes stale and locks you out, or you give up and leave 22 open.
SSH is not just another port. It is direct, authenticated shell access to the machine. A successful login is game over, not a nuisance. Everything else you do to harden a box (least privilege, patching, monitoring) assumes the attacker cannot simply walk in the front door. Shrinking who can even reach the door from "the entire internet" to "one IP" removes the bulk of the attack surface before authentication is ever tested. It also quiets the logs, which makes the genuine anomalies visible again.
Most setups land on one of these, each with a real cost:
IPAuth keeps the allowlist shape and removes the maintenance. You get two URLs for a named pair. You bookmark the auth URL; clicking it from any browser tells IPAuth "this is my current public IP." Your server runs a tiny cron that polls the server URL every couple of minutes, reads the IP IPAuth has on file, and rewrites a single ufw rule to match, deleting the previous one so the firewall never accumulates stale entries.
The result: 22 is default-deny, open only to your current IP. Move networks, click the bookmark, and within the poll window your new IP is allowed and the old one is gone. No agent on the server, no VPN client on your laptop, no second box. The change happens entirely inside your own firewall, by a script you can read. A stale IP also expires on its own after 24 hours, so a forgotten allow does not linger.
The one rule to add: keep a failsafe, a stable recovery IP (a bastion or a cloud console) allowed alongside the roving rule, so a missed click or a network hiccup never bricks your only way in.
This is a strong fit when a person (or a few) needs SSH to servers they own and those people roam between networks. It is not a replacement for key auth or MFA; it is a layer in front of them, shrinking the surface so those defenses are rarely tested by strangers. If you need many rotating contractors or true device posture checks, a full Zero Trust mesh may suit better. For the common case, an operator with a fleet and a laptop that moves, a roving allowlist is the highest-leverage, lowest-overhead control you can add.
Create a pair, drop the ufw script in cron, and lock port 22 to your current IP in about five minutes.