diff --git a/handlers/main.yml b/handlers/main.yml
index 21f7c6500688af1aea5f158c4e44184b03e54b17..36976375d086eb5accff280ea0a595835f85fdcc 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -13,3 +13,8 @@
   service:
     name: syslogd
     state: restarted
+
+- name: Restart ssh
+  service:
+    name: ssh
+    state: restarted
diff --git a/tasks/lock_root.yml b/tasks/lock_root.yml
new file mode 100644
index 0000000000000000000000000000000000000000..601aaeffae4efd0e921b7d6d35c755d6dd4aaa0a
--- /dev/null
+++ b/tasks/lock_root.yml
@@ -0,0 +1,14 @@
+---
+
+- name: Disable root account
+  user:
+    name: root
+    expires: 1
+
+- name: Disable root SSH login
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    line: 'PermitRootLogin no'
+    regexp: '^PermitRootLogin '
+  notify:
+  - Restart ssh
diff --git a/tasks/main.yml b/tasks/main.yml
index ef3fd95ecdd9f80d05eed7f41cac8d7615bc5405..5573651b3a1835c0e23d73bb00fcaed668c9cd8a 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -45,3 +45,6 @@
 
 - include: unattended_upgrades.yml
   when: unattended_upgrades|default(True) and ansible_os_family == 'Debian'
+
+- include: lock_root.yml
+  when: lock_root|default(True)