Member-only story
Why I Treat Every New Linux Server as Already Compromised
--
Share
✍️ Full Blog Content:
Intro:
It sounds paranoid — but it’s not. Whether you’re launching a cloud VM, setting up a dev box, or inheriting a legacy Ubuntu server, assuming it’s already compromised changes the way you secure it. And more than once, this mindset has helped me catch things others miss. In this post, I’ll explain the exact steps I take right after deployment, and how they’ve saved me from future headaches.
1. Check What’s Already Running
Most admins jump straight into installing packages — I stop and look at what’s already live.
✅ Check open ports:
sudo ss -tuln
✅ Run a top-level process check:
ps aux --sort=-%mem | head
✅ See which services are enabled at boot:
systemctl list-unit-files --state=enabled
💡 Caught once: An unexpected FTP server installed from a base image.
2. List All Users and Logins Immediately
cut -d: -f1 /etc/passwdlast -a | head -n 10
✅ Check .bash_history for each user ✅ Look for unknown or dormant accounts suddenly…
Top comments (0)