I’ve been trough this way too many times. So here’s a note (mainly for myself) so you and I know what to do when connecting a Raspberry Pi to the web.
This (low-privileged) user is needed so we don’t need to use our root user to login or run applications (because the amount of rights the latter has is plain dangerous).
Well, this part is explained way better than I ever could on the Raspberry Pi website.
Now that we have a new user which we can use to login over ssh (tried and tested, right?), we can disable our root login over ssh.
To accomplish this you’ll need to change the /etc/ssh/sshd_config file.
and make sure this is in your configuration file:
PasswordAuthentication no PermitRootLogin no
Change it if it exists or add it if it doesn’t.
After your changes you’ll need to reload ssh:
Please be aware that this only covers the bare basics and you could (and should) do way more to secure your Pi.