Background: 15 years of experience in software and apparently spoiled because it was already set up correctly.
Been practicing doing my own servers, published a test site and 24 hours later, root was compromised.
Rolled back to the backup before I made it public and now I have a security checklist.
If you install Debian yourself, it asks you to set a root password. If you don’t provide one, it disables root and enables sudo.
Of course, if you’re running Debian provided by a cloud provider, it’s however they set it up for you.