Detect Linux Server Intrusions

If someone breached your server right now, would you even know? The faster you detect an intrusion, the faster you can stop it. In this post, we will walk through simple steps you can take to check for signs of unauthorized access and take immediate ac…


This content originally appeared on DEV Community and was authored by Tshenolo Mos

If someone breached your server right now, would you even know? The faster you detect an intrusion, the faster you can stop it. In this post, we will walk through simple steps you can take to check for signs of unauthorized access and take immediate action - all within 60 seconds.

Check out my Youtube Channel where I post all kinds of content accompanying my posts, including this video showing everything in this post.

Step 1: See Who’s Logged In

Run the following command to check who is currently logged in:

who

You should only see authorized users. If you spot a suspicious login, it might be time to investigate.

Step 2: Check Running Processes

See what’s running and sort by memory usage:

ps aux --sort=-%mem | head

Look for unfamiliar or suspicious processes. Malware often disguises itself with odd names or runs in the background silently.

Step 3: Inspect Network Connections

Identify listening services and active connections:

ss -tulwn

Check for unexpected open ports or connections to unknown IPs.

Step 4: Review Auth Logs

Look at recent authentication attempts:

tail -n 20 /var/log/auth.log

Watch for failed login attempts or unusual root access events. On some systems, you might need to check:

journalctl -xe | grep ssh

Step 5: Check for Recently Banned IPs (if using Fail2Ban) 

sudo fail2ban-client status sshd

Review which IPs have been banned and why. This helps track brute force attempts.

Bonus: File Integrity Check

If you’re using tools like AIDE or Tripwire, run an integrity scan to detect any unauthorized file changes:

aide --check

Final Thoughts

Speed matters. While these steps won’t replace a full intrusion detection system, they can help you spot threats early and react quickly.

Want to go further? Set up automated alerts, enable two-factor authentication, and install Fail2Ban to actively block brute-force attacks.

Thank you for reading this blog post. If you found the post helpful or interesting, here are a few ways you can show your support:

🐦 Follow me on X
📺 Subscribe to my Youtube channel

Your support and engagement means a lot to me as an open-source developer.

Stay safe out there!


This content originally appeared on DEV Community and was authored by Tshenolo Mos


Print Share Comment Cite Upload Translate Updates
APA

Tshenolo Mos | Sciencx (2025-10-24T17:56:47+00:00) Detect Linux Server Intrusions. Retrieved from https://www.scien.cx/2025/10/24/detect-linux-server-intrusions/

MLA
" » Detect Linux Server Intrusions." Tshenolo Mos | Sciencx - Friday October 24, 2025, https://www.scien.cx/2025/10/24/detect-linux-server-intrusions/
HARVARD
Tshenolo Mos | Sciencx Friday October 24, 2025 » Detect Linux Server Intrusions., viewed ,<https://www.scien.cx/2025/10/24/detect-linux-server-intrusions/>
VANCOUVER
Tshenolo Mos | Sciencx - » Detect Linux Server Intrusions. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2025/10/24/detect-linux-server-intrusions/
CHICAGO
" » Detect Linux Server Intrusions." Tshenolo Mos | Sciencx - Accessed . https://www.scien.cx/2025/10/24/detect-linux-server-intrusions/
IEEE
" » Detect Linux Server Intrusions." Tshenolo Mos | Sciencx [Online]. Available: https://www.scien.cx/2025/10/24/detect-linux-server-intrusions/. [Accessed: ]
rf:citation
» Detect Linux Server Intrusions | Tshenolo Mos | Sciencx | https://www.scien.cx/2025/10/24/detect-linux-server-intrusions/ |

Please log in to upload a file.



There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.

Related Posts