diff --git a/hosts/rico2/services/default.nix b/hosts/rico2/services/default.nix
index 34a84ff..46968a6 100644
--- a/hosts/rico2/services/default.nix
+++ b/hosts/rico2/services/default.nix
@@ -1,4 +1,3 @@
 {...}: {
-  imports = [./caddy.nix ./frpc.nix];
-  services.openssh.enable = true;
+  imports = [./caddy.nix ./frpc.nix ./ssh.nix];
 }
diff --git a/hosts/rico2/services/ssh.nix b/hosts/rico2/services/ssh.nix
new file mode 100644
index 0000000..a315eac
--- /dev/null
+++ b/hosts/rico2/services/ssh.nix
@@ -0,0 +1,9 @@
+{ ... }: {
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+    };
+  };
+}