I always disable remote root login and password authentication. Then I create purpose-specific remote users with sudo access only to the commands they need (and never access to sudo su). This is not only more security-conscious in my mind, but also allows me to just drop a friend or coworker's public key in the authorized_keys file for a certain user to allow that person to perform the function that user was purposed for (for instance, when I'm on vacation).