Why I Set Email Alerts for Every New User Added to My Linux Server (And How You Can Too) | by Faruk Ahmed | Jul, 2025
#user#new#server#why
Faruk

Faruk @cyberwebpen

About: InfoSec Analyst | 10+ yrs in DLP, CrowdStrike, QRadar, Qualys, Linux Admin, WebLogic Admin | Python & Bash Enthusiast | Passionate about cybersecurity, automation, and continuous learning.

Joined:
Apr 27, 2025

Why I Set Email Alerts for Every New User Added to My Linux Server (And How You Can Too) | by Faruk Ahmed | Jul, 2025

Publish Date: Jul 8
0 0

Member-only story

Why I Set Email Alerts for Every New User Added to My Linux Server (And How You Can Too)

--

Share

Intro: New users being added to a server may seem harmless — especially if you’re managing it solo. But on a shared or internet-facing server, this can be the first sign of a breach. I learned this the hard way after noticing strange sudo activity from a user I never created. Here’s how I now monitor all user creations and how you can set up real-time email alerts on both Ubuntu and Red Hat.

  1. Why You Should Care About New Users

A newly created user with sudo access can:

  • Install malware
  • Pivot into lateral movement
  • Hide activity using rootkits

Even without sudo, attackers use fake users for persistence — so catching it early is key.

  1. Monitor /etc/passwd in Real Time Using auditd

Install auditd:

# Ubuntusudo apt install auditd -y
Enter fullscreen mode Exit fullscreen mode 
# Red Hatsudo yum install audit -y
Enter fullscreen mode Exit fullscreen mode

Create an audit rule:

sudo auditctl -w /etc/passwd -p wa -k useradd-watch
Enter fullscreen mode Exit fullscreen mode

This tells the system to watch for writes/appends to /etc/passwd.

👉 Read Full Blog on Medium Here

Comments 0 total

    Add comment