Member-only story
The One Log Entry That Made Me Realize My Linux Server Was Being Scanned
--
1
Share
✍️ Full Blog Content:
Intro:
Sometimes, all it takes is one line in a log file to know you’re being watched. For me, it was a failed SSH attempt from an IP address in a country I had no business with. From that point on, I stopped assuming my server was invisible and started logging like my job depended on it. Here’s exactly what I saw — and what you should be looking for too.
1. The Log That Changed Everything
✅ Check SSH logs:
Ubuntu:
grep "Failed password" /var/log/auth.log
Red Hat/CentOS:
grep "Failed password" /var/log/secure
What I saw:
Failed password for invalid user admin from 194.58.123.45 port 54762 ssh2
That IP didn’t belong to me. And the admin user didn’t exist. It was a bot scanning and trying brute-force logins.
2. What I Did Immediately
✅ Checked how many attempts:
bash
grep "Failed password" /var/log/auth.log | wc -l
Top comments (0)