Member-only story
The First 24 Hours After a Linux Breach — My Incident Response Playbook
--
Share
When you suspect a Linux server has been compromised, the clock starts ticking. The decisions you make in the first 24 hours can determine whether you contain the damage or hand the attacker more time.
Here’s the incident response sequence I follow — built from real-world cases — to secure the system, preserve evidence, and get operations back online.
⏱️ Hour 1: Contain Without Destroying Evidence
Do not reboot — you might lose volatile forensics data. Instead:
- Disconnect the server from the network (disable NIC or pull the cable).
- If it’s a cloud VM, disable security group rules or detach the public IP.
- Notify your security/ops team immediately.
📌 Goal: Stop further damage without wiping the attacker’s tracks.
🗄️ Hour 2–4: Preserve Evidence
From a trusted admin machine:
ssh user@server 'tar czf /tmp/forensics.tgz /var/log /etc /home /tmp /root'scp user@server:/tmp/forensics.tgz .
Also collect:
- Running processes (ps auxf)
Top comments (0)