If someone breached your server right now, would you even know? The faster you detect an intrusion, the faster you can stop it. In this post, we will walk through simple steps you can take to check for signs of unauthorized access and take immediate action - all within 60 seconds.
Check out my Youtube Channel where I post all kinds of content accompanying my posts, including this video showing everything in this post.
Step 1: See Who’s Logged In
Run the following command to check who is currently logged in:
who
You should only see authorized users. If you spot a suspicious login, it might be time to investigate.
Step 2: Check Running Processes
See what’s running and sort by memory usage:
ps aux --sort=-%mem | head
Look for unfamiliar or suspicious processes. Malware often disguises itself with odd names or runs in the background silently.
Step 3: Inspect Network Connections
Identify listening services and active connections:
ss -tulwn
Check for unexpected open ports or connections to unknown IPs.
Step 4: Review Auth Logs
Look at recent authentication attempts:
tail -n 20 /var/log/auth.log
Watch for failed login attempts or unusual root access events. On some systems, you might need to check:
journalctl -xe | grep ssh
Step 5: Check for Recently Banned IPs (if using Fail2Ban)
sudo fail2ban-client status sshd
Review which IPs have been banned and why. This helps track brute force attempts.
Bonus: File Integrity Check
If you’re using tools like AIDE or Tripwire, run an integrity scan to detect any unauthorized file changes:
aide --check
Final Thoughts
Speed matters. While these steps won’t replace a full intrusion detection system, they can help you spot threats early and react quickly.
Want to go further? Set up automated alerts, enable two-factor authentication, and install Fail2Ban to actively block brute-force attacks.
Thank you for reading this blog post. If you found the post helpful or interesting, here are a few ways you can show your support:
🐦 Follow me on X
📺 Subscribe to my Youtube channel
Your support and engagement means a lot to me as an open-source developer.
Stay safe out there!
Top comments (2)
That’s a great post! Straightforward, practical, and something any sysadmin can actually use in the moment. I like how you focused on fast manual checks before jumping into heavy tooling. Do you usually pair these kinds of posts with live demos on your YouTube channel?
Thanks, Roshan! Yes, I usually do. I like adding quick demos on my YouTube channel
so people can follow along. Glad you found it useful! Much appreciated!