hello. if the passwords are as weak as roland's seems to be the 'PermitRootLogin no'-option is only a little barrier. instead of one pw the attacker has to get two passwords. use the mentioned public-key authentification, only protocol 2 and (if possible) use a non-standard port for ssh (many scripts only check for 22). greetings, grim