I’ve been trough this way too many times. So here’s a note (mainly for myself) so you and I know what to do when connecting a Raspberry Pi to the web.
This (low-privileged) user is needed so we don’t need to use our root user to login or run applications (because the amount of rights the latter has is plain dangerous).
You can do that with: sudo adduser username
Needless to say you’ll want to change ‘username’ to a username you’d like to use.
Well, this part is explained way better than I ever could on the Raspberry Pi website.
Now that we have a new user which we can use to login over ssh (tried and tested, right?), we can disable our root login over ssh.
To accomplish this you’ll need to change the /etc/ssh/sshd_config file.
run: vim /etc/ssh/sshd_config
and make sure this is in your configuration file:
PasswordAuthentication no PermitRootLogin no
Change it if it exists or add it if it doesn’t.
After your changes you’ll need to reload ssh:
/etc/init.d/ssh reload
Please be aware that this only covers the bare basics and you could (and should) do way more to secure your Pi.