When to disable root account on ubuntu server

I've set up Ubuntu 20.xx as a web server in the cloud provided by Digital Ocean and wish to install Node, Express, Mongo and possibly NginX. In several articles there is mention of disabling root user to improve security and create a new user with administration access. In order, I created a new user and then used this to set-up all applications but ran into issue with nginx.

Should I instead use root user to set-up all applicatons first, and allow applications to run under root ? Then create a second admin user with ssh access and then disable ssh for root?

UPDATE1: Thanks for your assistance all, I've updated the question and added its a cloud install.

UPDATE2:

Thanks for the detailed explanation. As I understand it :

1. A Sudo user has the same privileges as root
2. A Sudo user can be tracked who performed actions (of relevance when multiple users are concerned)
3. Web applications (node, pm2, mongo) can be installed EITHER with root account and/or sudo user accounts, because these applications should run with their own default user accounts.
4. Disable root ssh in due course to protect against brute force attacks

On a stock install of Ubuntu Server on bare metal or a self-hosted VM, the root user is already disabled. DON'T enable root. Use Ubuntu the way that it's designed to be used.

On a cloud install of Ubuntu, you're not installing; the finished container/VM is handed to you. Cloud users often have a functioning root prompt so they can create admin sudo users. Advice: After you create those users and install their SSH keys, disable root login (and all password login) to protect your system from attackers.

If you are encountering a problem with nginx, please open a new question specifically about that problem.

When to disable root account on ubuntu server?

I would suggest not doing that but doing things to maximize security. Let's face it, if a government wants into your server, they will use an easy way to see your files. We only worry about the hackers out there.

I have an instance on RamNode I use for my websites. When I first learned how to setup an unattended Ubuntu server, I discovered several important things. As fast as you setup the server, someone will be trying to hack in!

1. Create a strong root password. It should be at least 32 characters long. Do not duplicate keys next to each other. Use all of the character keys on the keyboard in a random selection except the backtick ' key. Use special characters like $%& and don't use any words or phrases. I store my login data like this in a text file on my primary computer: ssh [email protected] 6^g0)6)nS3@sGh^7*9L:pR%bS@3d9

2. As soon as you have created your server, do this: ufw allow ssh ufw enable apt update apt list --upgradable apt upgrade

You have now locked out everyone trying to shell into your root and updated your Ubuntu files. No other ports are opened to allow any other access but ssh.

I also only use ipv4 so I lockout ipv6 access via the sshd_config file, the /etc/default/ufw file, and the /etc/default/grub file.

To see who is attacking you use this command: service sshd status You may be surprised to see how quickly they start trying to shell into your server. I get hit from China almost non-stop. The CCP has been stealing data from anywhere it can for decades. But that's another story.