diff --git a/setup.sh b/setup.sh
index fa1f8f6..0a97b8a 100644
--- a/setup.sh
+++ b/setup.sh
@@ -48,4 +48,13 @@ echo "Configuring firewall..."
 ufw allow OpenSSH
 ufw --force enable
 
+# === HARDEN SSH: Disable root login via SSH ===
+echo "Disabling root SSH login..."
+sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
+systemctl restart ssh || service ssh restart
+
+# === ENSURE beer CAN USE SUDO ===
+usermod -aG sudo beer
+
 echo "Setup complete! You can now SSH into the container/VM as '$USERNAME'."