diff --git a/evolinux-users/defaults/main.yml b/evolinux-users/defaults/main.yml
index f0947958..d7d6f958 100644
--- a/evolinux-users/defaults/main.yml
+++ b/evolinux-users/defaults/main.yml
@@ -1,3 +1,4 @@
 ---
 evolinux_users: {}
 evolinux_sudo_group: "evolinux-sudo"
+evolinux_root_disable_ssh: True
diff --git a/evolinux-users/tasks/main.yml b/evolinux-users/tasks/main.yml
index b28dd377..ec1400bd 100644
--- a/evolinux-users/tasks/main.yml
+++ b/evolinux-users/tasks/main.yml
@@ -15,3 +15,6 @@
     user: "{{ item.value }}"
   with_dict: "{{ evolinux_users }}"
   when: evolinux_users != {}
+
+- include: root_disable_ssh.yml
+  when: evolinux_root_disable_ssh
diff --git a/evolinux-users/tasks/root_disable_ssh.yml b/evolinux-users/tasks/root_disable_ssh.yml
new file mode 100644
index 00000000..f7cd727b
--- /dev/null
+++ b/evolinux-users/tasks/root_disable_ssh.yml
@@ -0,0 +1,16 @@
+---
+
+- name: disable root login
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^PermitRootLogin (yes|without-password)'
+    replace: "PermitRootLogin no"
+  notify: reload sshd
+
+- name: remove root from AllowUsers directive
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
+    replace: '\1\4'
+    validate: '/usr/sbin/sshd -T -f %s'
+  notify: reload sshd