diff --git a/hosts/common/optional/services/openssh.nix b/hosts/common/optional/services/openssh.nix
index de26148..8f5a241 100644
--- a/hosts/common/optional/services/openssh.nix
+++ b/hosts/common/optional/services/openssh.nix
@@ -4,6 +4,14 @@ in {
   services.openssh = {
     enable = true;
     ports = [ sshPort ];
+
+    settings = {
+      PermitRootLogin = "no";
+      KbdInteractiveAuthentication = false;
+      PasswordAuthentication = false;
+    };
+
+    openFirewall = true;
   };
 
   networking.firewall.allowedTCPPorts = [ sshPort ];