The logic of Disabling Root Login

So my droplet was hacked twice. And the third version is up. Fingers crossed.

The mistake I made in the first two was that I had root + password login enabled. I’ve learned since that there are brute-force bots out there that keep trying passwords until they get through. So I’m going the private SSH key route this time, no password.

What I learned in the process: By default Ubuntu Linux doesn’t limit password attempts in any way. You can keep trying different passwords forever. Shiver.

I have several questions about the logic of disabling root login:

1. Would it still be possible for the non-root user to use “su” to become root? If yes, then how many password attempts are allowed (i.e., is this too a situation where by default there’s no limit to password attempts?).

2. One would still need “root-like” access to the server once in a while, e.g., to give new users “sudo” privileges, etc. Presumably one would have a non-root user account with “sudo” privileges so that one can have such “root-like” access. Why is that not as big of a security threat as having root login enabled?

3. Do experienced Linux server admins typically set up a non-root user such that one would need a private SSH key AND a password? This seems to me to be the safest option.

Note: I realize that the root username is an issue here. But given infinite free attempts, bruteforcing any username + password combination is just a matter of time.