diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
index c9f745e..672faf7 100644
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -991,22 +991,37 @@ sshd_host_keys:
   - /etc/ssh/ssh_host_ecdsa_key
   - /etc/ssh/ssh_host_ed25519_key
 
+sshd_max_startups: !!str "10:30:100"
+
+sshd_max_auth_tries: 3
+
+sshd_max_sessions: 10
+
 # only for debian version <= 9
 #
 sshd_use_privilege_separation: !!str "sandbox"
 
-sshd_permit_root_login: !!str "no"
+sshd_permit_root_login: !!str "prohibit-password"
 
 sshd_authorized_keys_file: ".ssh/authorized_keys .ssh/authorized_keys2"
 
 sshd_pubkey_authentication: !!str "yes"
 
-sshd_password_authentication: !!str "no"
+sshd_password_authentication: !!str "yes"
 
 sshd_use_pam: !!str "yes"
 
+#sshd_allowed_users:
+#  - chris
+#  - sysadm
+sshd_allowed_users: {}
+
 sshd_print_motd: !!str "no"
 
+sshd_use_dns: !!str "no"
+
+sshd_gateway_ports: !!str "no"
+
 # sshd_kexalgorithms
 #
 # Example:
@@ -1016,14 +1031,16 @@ sshd_print_motd: !!str "no"
 #      - diffie-hellman-group14-sha1
 #
 #sshd_kexalgorithms: {}
-sshd_kexalgorithms:
-  - curve25519-sha256
-  - curve25519-sha256@libssh.org
-  - diffie-hellman-group16-sha512
-  - diffie-hellman-group18-sha512
-  - diffie-hellman-group-exchange-sha256
+sshd_hostkeyalgorithms:
+  - ssh-ed25519
+  - ssh-ed25519-cert-v01@openssh.com
+  - rsa-sha2-256
+  - rsa-sha2-512
+  - rsa-sha2-256-cert-v01@openssh.com
+  - rsa-sha2-512-cert-v01@openssh.com
 
-# sshd__ciphers
+
+# sshd_kexalgorithms
 #
 # Example:
 #    sshd_ciphers:
@@ -1045,24 +1062,6 @@ sshd_macs:
   - hmac-sha2-512-etm@openssh.com
   - umac-128-etm@openssh.com
 
-#sshd_hostkeyalgorithms: {}
-sshd_hostkeyalgorithms:
-  - ssh-ed25519
-  - ssh-ed25519-cert-v01@openssh.com
-  - ecdsa-sha2-nistp256
-  - ecdsa-sha2-nistp384
-  - ecdsa-sha2-nistp521
-  - rsa-sha2-256
-  - rsa-sha2-512
-  - rsa-sha2-256-cert-v01@openssh.com
-  - rsa-sha2-512-cert-v01@openssh.com
-
-sshd_use_dns: !!str "no"
-
-sshd_allowed_users: {}
-
-sshd_gateway_ports: !!str "no"
-
 
 # ---
 # vars used by roles/common/tasks/sudoers.yml
diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml
index 9fbff62..8af827d 100644
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@@ -10,31 +10,44 @@
     fact_sshd_kexalgorithms: "{{ sshd_kexalgorithms | join (',') }}"
   when:
     - sshd_kexalgorithms is defined and sshd_kexalgorithms | length > 0
+  tags:
+    - sshd-config
 
 - name: (sshd.yml) Set fact_sshd_ciphers (comma separated list)
   set_fact:
     fact_sshd_ciphers: "{{ sshd_ciphers | join (',') }}"
   when:
     - sshd_ciphers is defined and sshd_ciphers | length > 0
+  tags:
+    - sshd-config
 
-- name: (sshd.yml) Set fact_sshd_macs
+- name: (sshd.yml) Set fact_sshd_macs 
   set_fact:
     fact_sshd_macs: "{{ sshd_macs | join (',') }}"
   when:
     - sshd_macs is defined and sshd_macs | length > 0
+  tags:
+    - sshd-config
 
 - name: (sshd.yml) Set fact_sshd_hostkeyalgorithms (blank separated list)
   set_fact:
     fact_sshd_hostkeyalgorithms: "{{ sshd_hostkeyalgorithms | join (',') }}"
   when:
     - sshd_hostkeyalgorithms is defined and sshd_hostkeyalgorithms | length > 0
+  tags:
+    - sshd-config
 
 - name: (sshd.yml) Set fact_sshd_allowed_users (blank separated list)
   set_fact:
     fact_sshd_allowed_users: "{{ sshd_allowed_users | join (' ') }}"
   when:
     - sshd_allowed_users is defined and sshd_allowed_users | length > 0
+  tags:
+    - sshd-config
 
+# ---
+# Create new sshd_config
+# ---
 
 - name: (sshd.yml) Check file '/etc/ssh/sshd_config.ORIG' exists
   stat:
@@ -49,6 +62,23 @@
   tags:
     - sshd-config
 
+
+- name: (sshd.yml) Create new sshd_config from template sshd_config.j2
+  template:
+    src: etc/ssh/sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: 0644
+    validate: 'sshd -f %s -T'
+    #backup: yes
+  notify: "Restart ssh"
+  when:
+    - ansible_facts['distribution'] == "Ubuntu"
+  tags:
+    - sshd-config
+
+
 - name: (sshd.yml) Create/Update new sshd_config from template sshd_config.j2
   template:
     src: etc/ssh/sshd_config.j2
@@ -59,7 +89,7 @@
     validate: 'sshd -f %s -T'
   notify: "Restart ssh"
   when:
-    - create_sftp_group is defined and not create_sftp_group
+    - create_sftp_group is undefined or create_sftp_group is defined and not create_sftp_group
     - ansible_facts['distribution'] == "Debian"
     - ansible_facts['distribution_major_version'] <= "10"
   tags:
@@ -81,6 +111,7 @@
   tags:
     - sshd-config
 
+
 - name: (sshd.yml) Check if sshd_config contains activ parameter 'Subsystem sftp'..
   lineinfile:
     path: /etc/ssh/sshd_config
@@ -118,4 +149,3 @@
     - ansible_facts['distribution_major_version'] > "10"
   tags:
     - sshd-config
-