The Memory Trap
Every Unix box has a root account, or an account that has absolute control over the machine, its files and controls.
From all accounts, admins should use this account sparingly, only for cases where cross-system control is needed. You can make big mistakes (i.e. wipe out the system with a badly-worded command) from root. If you have work to do that can be done from a user account, use that instead.
If you want to do root commands, you issue them from your account through the "sudo" command. basically sudo allows you to issue commands from another user's account (assuming you have the password).
The idea behind this is that not only will it limit the mistakes you may make, but also reduce the attack footprint of your server. A cracker, trying to get in via SSH, doesn't even get the option to guess the password to the root account to gain entry, because root can't log in from SSH at all.
Sudo actually has an option (sudo -i) that will allow you to work within a shell of a user account entirely--this means you evoke sudo once and then every thing you do from the command line is done from the account you've sudo'd in from, such as root. which is pretty neat, and eliminates the need to be able to access root from the outside (i.e. via SSH).
$sudo visudoIn CentOS, users with sudo priveleges are often kept in the "wheel" group (in Ubuntu, it is usually the "sudo" group. So you should enter, or uncomment, this line into the /etc/sudoers file:
%wheel ALL=(ALL) ALLThen, hopping back out of /etc/sudoers to the command line, add the desired user to the "wheel" group:
sudo usermod -aG wheel
(DigitalOcean users can find out more info here>)
To disable SSH access to root, simply edit the /etc/ssh/sshd_config file and set the "PermitRootLogin" parameter to no, by finding the "PermitRootLogin" line, uncommenting and changing "yes" to "no," if this is not done already:
PermitRootLogin NoMore info here.
Most distros, including Ubuntu, disable the root account by default.
But if you already enabled root on your Ubuntu, how do you un-enable it? Simple, from the root account, use the psswd command to "lock" the account, i.e. make it inaccessible from outside users. "passwd -l root"