diff --git a/etc/ssh/sshd_config.d/README.md b/etc/ssh/sshd_config.d/README.md
new file mode 100644
index 00000000..91bf348d
--- /dev/null
+++ b/etc/ssh/sshd_config.d/README.md
@@ -0,0 +1,3 @@
+sshd_config should include something like
+
+Include /etc/ssh/sshd_config.d/*.conf
diff --git a/etc/ssh/sshd_config.d/basic-security.conf b/etc/ssh/sshd_config.d/basic-security.conf
new file mode 100644
index 00000000..a586294c
--- /dev/null
+++ b/etc/ssh/sshd_config.d/basic-security.conf
@@ -0,0 +1,13 @@
+# RSA and Ed25519 are fine, but DSA is broken and ecdsa is suspicious
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Includes public keys in logins
+LogLevel VERBOSE
+
+# root login should probably be denied entirely, but key is better than
+# password
+PermitRootLogin prohibit-password
+
+# Passwords are bad
+PasswordAuthentication no