Only one user should have the root password to a server, but since virtual private servers (VPS) can exist within a server, those users also have root passwords. Generally speaking, it is a bad practice to login to the server directly as root (administrator). Although SSH connections are encrypted, it is still a dangerous practice from a security perspective. Even administrative users should have lesser accounts that do not have superuser permissions.
To disable root login, edit your sshd_config file and add the following line (if it is not already present):
If you or another user with root access needs to become root, they can rely on “su” or “sudo” once they have logged in as a regular user with basic permissions.
The next important thing to secure is passwords, and a big no-no is using an empty password. In some circumstances, you cannot control what passwords (or lack thereof) other users choose, but with SSH, you can prevent users from choosing blank passwords. Enter the following line in sshd_config: