diff --git a/setup.sh b/setup.sh
index 280e757..0e5333e 100755
--- a/setup.sh
+++ b/setup.sh
@@ -323,6 +323,17 @@ create_sysadmin_user() {
     if id "$SYSADMIN_USER" &>/dev/null; then
         warn "User $SYSADMIN_USER already exists, skipping creation"
         SYSADMIN_USER_CREATED="no"
+        
+        # Check if the existing user has the default password "hhh"
+        if echo "hhh" | su - "$SYSADMIN_USER" -c "exit" 2>/dev/null; then
+            warn "User $SYSADMIN_USER has default password 'hhh', changing to random password"
+            local random_password=$(openssl rand -base64 12)
+            echo "$SYSADMIN_USER:$random_password" | chpasswd
+            echo "=========================================="
+            echo "NEW PASSWORD for $SYSADMIN_USER: $random_password"
+            echo "=========================================="
+            log "Password changed for existing user $SYSADMIN_USER"
+        fi
     else
         # Create user with home directory
         useradd -m -s /bin/bash "$SYSADMIN_USER"
@@ -399,6 +410,10 @@ configure_security() {
     sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
     sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
     
+    # Disable sysadmin SSH login
+    log "Disabling sysadmin SSH login..."
+    echo "DenyUsers $SYSADMIN_USER" >> /etc/ssh/sshd_config
+    
     # Configure SSH settings
     log "Applying SSH security settings..."
     
@@ -440,6 +455,10 @@ configure_security() {
     log "Locking root password..."
     passwd -l root
     
+    # Lock sysadmin password
+    log "Locking sysadmin password..."
+    passwd -l "$SYSADMIN_USER"
+    
     # Configure firewall if requested
     if [[ "$USE_UFW" == "yes" ]]; then
         configure_ufw