Background: 15 years of experience in software and apparently spoiled because it was already set up correctly.
Been practicing doing my own servers, published a test site and 24 hours later, root was compromised.
Rolled back to the backup before I made it public and now I have a security checklist.
Although disabling the root user is a good part of security, leaving it enabled should not alone cause you to get compromised. If it did, you were either running a very old version of OpenSSH with a known flaw, or, your chosen root password was very simple.
The latter. It was autogenerated by the VPS hosting service and I didn’t think about it.
It should be a serious red flag that your VPS host is generating root passwords simple enough to get quickly hacked.
I’m pretty sure they assumed if you bought their service, you have the competency to properly set it up.
And I proved them wrong.
It should be a red flag if the root account has a password at all. Shouldn’t be able to access it without sudo (or in extreme cases, after a single-user boot).
Also, I thought SSH root login was disabled by default. Has been in all Debian and RedHat variants I’ve ever used…
If you install Debian yourself, it asks you to set a root password. If you don’t provide one, it disables root and enables sudo.
Of course, if you’re running Debian provided by a cloud provider, it’s however they set it up for you.