How do I disable root login over network?

The /etc/securetty file lists the devices on which "root" may log in. If you remove all entries except for tty1 through tty8, you'll prevent network logins for root.

ttyS* are serial devices (e.g., a modem or serial-connected terminal)
ttyp*, ttyq*, etc are network terminals

Can't telnet as 'root' into the system from outside?

You can login as root from the local console, also can do a "su", but not telnet as 'root'? This is because this is the default behaviour for security reasons. If you can, use ssh and scp instead of telnet and ftp. If you cannot or think that your system is secure, add the necessary number of pseudo terminals in /etc/securetty. You may also face this problem while logging from xterms locally.

ttyp0, ttyp1, ...., ttypa, ... (add one in each line)