Wired port ACL + PEFNG will do the job for u , with the right config. :smileywink:
Make the ports as untrusted and then all the access roles you configrued in the wired access role will be applied.
From the WebUI:
Advanced Services > Wired Access > from the drop-down menu, select the aaa profile that has the initial role the blocking ssh and giving other needed services.
Another truly secure method is to not expose your controller on port 22 on the internet. You can also use public key cryptography as a login to the controller or a long and secure username and password.
hope it gave u some idea.
me