diff --git a/hosts/nixos-common.nix b/hosts/nixos-common.nix
index 04955d3..6a759cf 100644
--- a/hosts/nixos-common.nix
+++ b/hosts/nixos-common.nix
@@ -23,17 +23,9 @@
 #    useXkbConfig = true; # use xkb.options in tty.
 #  };
 
-
   # Enable sysrq
   boot.kernel.sysctl."kernel.sysrq" = 1;
 
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-
-  # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [ 22 ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-
   # Auto store clean
   nix.gc = {
     automatic = true;
diff --git a/modules/linux/ssh.nix b/modules/linux/ssh.nix
new file mode 100644
index 0000000..3a8348b
--- /dev/null
+++ b/modules/linux/ssh.nix
@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Enable the OpenSSH daemon.
+  services.openssh = {
+    enable = true;
+    allowSFTP = true;
+    openFirewall = false;
+    authorizedKeysInHomedir = false;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+      GatewayPorts = "no";
+    };
+  };
+
+  # enable ssh in the firewall
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
+  # enable fail2ban
+  services.fail2ban.enable = true;
+}