diff --git a/handlers/main.yml b/handlers/main.yml
index ed97d53..93b81d4 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1 +1,6 @@
 ---
+- name: common | Restart SSH daemon
+  systemd:
+    daemon_reload: true
+    name: sshd
+    state: restarted
diff --git a/tasks/main.yml b/tasks/main.yml
index 7fd7c43..4884b0e 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,2 +1,3 @@
 ---
 - include_tasks: usability.yml
+- include_tasks: ssh.yml
diff --git a/tasks/ssh.yml b/tasks/ssh.yml
new file mode 100644
index 0000000..188277b
--- /dev/null
+++ b/tasks/ssh.yml
@@ -0,0 +1,32 @@
+---
+- name: Harden SSH daemon
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '{{ item.regexp }}'
+    line: '{{ item.line }}'
+  notify: common | Restart SSH daemon
+  with_items:
+    - regexp: '^#?AcceptEnv '
+      line: 'AcceptEnv LANG LC_*'
+    - regexp: '^#?PermitUserEnvironment '
+      line: 'PermitUserEnvironment no'
+    - regexp: '^#?PermitRootLogin '
+      line: 'PermitRootLogin no'
+    - regexp: '^#?MaxAuthTries '
+      line: 'MaxAuthTries 2'
+    - regexp: '^#?MaxSessions '
+      line: 'MaxSessions 5'
+    - regexp: '^#?PasswordAuthentication '
+      line: 'PasswordAuthentication no'
+    - regexp: '^#?ChallengeResponseAuthentication '
+      line: 'ChallengeResponseAuthentication no'
+    - regexp: '^#?AllowAgentForwarding '
+      line: 'AllowAgentForwarding no'
+    - regexp: '^#?AllowTcpForwarding '
+      line: 'AllowTcpForwarding no'
+    - regexp: '^#?X11Forwarding '
+      line: 'X11Forwarding no'
+    - regexp: '^#?TCPKeepAlive '
+      line: 'TCPKeepAlive no'
+    - regexp: '^#?UseDNS '
+      line: 'UseDNS no'