diff --git a/roles/backup_server/files/backup-sshd_config b/roles/backup_server/files/backup-sshd_config
new file mode 100644
index 0000000000000000000000000000000000000000..eff4f61893496e420c9f33052138bbbe06a929d4
--- /dev/null
+++ b/roles/backup_server/files/backup-sshd_config
@@ -0,0 +1,81 @@
+# Listen on separate port for backup purposes.
+Port 2222
+
+# Use the SSH protocol version 2 (which is safer).
+Protocol 2
+
+# Define dedicated host keys for backup SSH server.
+HostKey /etc/ssh-backup/ssh_host_rsa_key
+HostKey /etc/ssh-backup/ssh_host_ecdsa_key
+HostKey /etc/ssh-backup/ssh_host_ed25519_key
+
+# Use privilege separation for increased security.
+UsePrivilegeSeparation yes
+
+# Configure logging.
+SyslogFacility AUTH
+LogLevel INFO
+
+# Users logging-in have 10 seconds to login upon established connection.
+LoginGraceTime 10
+
+# Don't allow root accounts logins.
+PermitRootLogin no
+
+# Enforce strict checking of home directory mode. However, this is not used for
+# the chroots (chroots must check mode).
+StrictModes yes
+
+# Allow public key authentication.
+PubkeyAuthentication yes
+
+# Don't read the user's ~/.rhosts and ~/.shosts files for eventual
+# RhostsRSAAuthentication or HostbasedAuthentication.
+IgnoreRhosts yes
+
+# Disable host-based authentication.
+HostbasedAuthentication no
+
+# Do not allow logins with empty passwords.
+PermitEmptyPasswords no
+
+# Don't allow challenge-response authentication.
+ChallengeResponseAuthentication no
+
+# Disable password-based authentication.
+PasswordAuthentication no
+
+# Disable X11 forwarding.
+X11Forwarding no
+
+# Do not print motd to avoid eventual issues for clients.
+PrintMotd no
+
+# Do not print the date and time of the last user login.
+PrintLastLog no
+
+# Use TPC keepalives for detecting dead connections.
+TCPKeepAlive yes
+
+# Use the internal SFTP so we can also easily utilise chroot.
+Subsystem sftp internal-sftp
+
+# Use PAM. But thanks to PasswordAuthentication being set to "no", PAM will be
+# used just for session stuff.
+UsePAM yes
+
+# Specify a dedicated PID file for the backup SSH.
+PidFile /run/sshd-backup.pid
+
+# Users logging-in are forced to use the SFTP server.
+ForceCommand internal-sftp
+
+# Chroot logged-in users to their home directories.
+ChrootDirectory %h
+
+# Do not allow any TCP forwarding.
+AllowTCPForwarding no
+
+# Only allow the members of this group to log-in into this instance of OpenSSH
+# server.
+AllowGroups backup
\ No newline at end of file