[INTPenis]

First step is actually passwd -l root for me, I alwasy lock the root password. After ensuring I have a working admin account of course.

Using the root account at all is obsolete imho. Fedora, CentOS and RHEL all allow me to skip setting a root password and just use my admin user.

[maxk42]

That was explicitly mentioned in the article, as was disabling password-based logins entirely.

[deadbunny]

There is a difference between ssh disabling passwords and local accounts being disabled.

Say ssh disallows password login but I know the root password, if I ssh on to the box as another user I can then su to the root user. If the root user does is locked I can't do this.

[hansel_der]

imho a distinct admin account is better than elevating a useraccount, which also runs a browser.

[INTPenis]

Yeah sure but it's still better to lock the root account and create a sudo admin account for all root tasks.

[hansel_der]

sure, security throu obscurity is somewhat valid as the attacker then has to discover the 'sudo admin account' instead of going for root directly

[INTPenis]

Heh yeah but we don't call it security by obscurity because those are dirty words, we call it "best practice" instead. ;)

[hansel_der]

true