The One Log Entry That Made Me Realize My Linux Server Was Being Scanned | by Faruk Ahmed | May, 2025
#log#bash#failed#one
Faruk

Faruk @cyberwebpen

About: InfoSec Analyst | 10+ yrs in DLP, CrowdStrike, QRadar, Qualys, Linux Admin, WebLogic Admin | Python & Bash Enthusiast | Passionate about cybersecurity, automation, and continuous learning.

Joined:
Apr 27, 2025

The One Log Entry That Made Me Realize My Linux Server Was Being Scanned | by Faruk Ahmed | May, 2025

Publish Date: May 30
0 0

Member-only story

The One Log Entry That Made Me Realize My Linux Server Was Being Scanned

--

1

Share

✍️ Full Blog Content:

Intro:

Sometimes, all it takes is one line in a log file to know you’re being watched. For me, it was a failed SSH attempt from an IP address in a country I had no business with. From that point on, I stopped assuming my server was invisible and started logging like my job depended on it. Here’s exactly what I saw — and what you should be looking for too.

1. The Log That Changed Everything

✅ Check SSH logs:

Ubuntu:

grep "Failed password" /var/log/auth.log
Enter fullscreen mode Exit fullscreen mode

Red Hat/CentOS:

grep "Failed password" /var/log/secure
Enter fullscreen mode Exit fullscreen mode

What I saw:

Failed password for invalid user admin from 194.58.123.45 port 54762 ssh2
Enter fullscreen mode Exit fullscreen mode

That IP didn’t belong to me. And the admin user didn’t exist. It was a bot scanning and trying brute-force logins.

2. What I Did Immediately

✅ Checked how many attempts:

bash
Enter fullscreen mode Exit fullscreen mode 
grep "Failed password" /var/log/auth.log | wc -l
Enter fullscreen mode Exit fullscreen mode

👉 Read Full Blog on Medium Here

Comments 0 total

    Add comment