diff --git a/roles/basesecurity/tasks/main.yml b/roles/basesecurity/tasks/main.yml
index 501bf4a..4fc922e 100644
--- a/roles/basesecurity/tasks/main.yml
+++ b/roles/basesecurity/tasks/main.yml
@@ -28,9 +28,14 @@
 - name: Prohibit root SSH with password
   lineinfile:
     dest: /etc/ssh/sshd_config
-    regexp: '^PermitRootLogin'
-    insertafter: '^#PermitRootLogin'
-    line: 'PermitRootLogin prohibit-password'
+    regexp: '^{{ item.0 }}'
+    insertafter: '^#{{ item.0 }}'
+    line: '{{ item.0 }} {{ item.1 }}'
+  loop:
+    - ["PermitRootLogin", "prohibit-password"]
+    - ["AllowAgentForwarding", "no"]
+    - ["X11Forwarding", "no"]
+    - ["TCPKeepAlive", "no"]
   notify: Restart sshd service
 
 # See banned client with `fail2ban-client status sshd`
@@ -47,3 +52,11 @@
     dest: /etc/fail2ban/jail.d/local.conf
     mode: 0644
   notify: Restart fail2ban service
+
+# See altered packages and configurations with `debsums -ca`
+- name: Install debsums
+  apt:
+    name: debsums
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded