intrusion-detection Archives | Animated Creativity

SSH brute-force fingerprints: how to read /var/log/auth.log without grep madness — awk one-liners that actually work

August 23, 2025 by

Multi-pane terminal session showing log output and system monitoring on a dark monitor — photo by Tima Miroshnichenko on Pexels

Open /var/log/auth.log on a public-facing server and you’ll see thousands of lines per day — failed logins, accepted logins, sudo events, cron registrations. The signal you usually care about (who’s brute-forcing me, from where, against which users?) is buried in …

Detecting WordPress malware via reverse-DNS lookups on outbound POST requests: 30 lines of bash that catches exfil

August 26, 2024 by

Network switch with active port LEDs and ethernet cables — photo by Pixabay on Pexels

The interesting thing about WordPress malware in 2026 is that most of it doesn’t try to hide on disk anymore. Filesystem scanners catch the obvious things — random PHP at webroot, .hph extension shadows, polyglot images. The newer payloads live …

auditd rules for a small server: the 12 rules that catch real intrusions without drowning you in noise

August 2, 2024 by

Close-up of source code on a dark monitor — photo by Pixabay on Pexels

The first time I enabled auditd with the default rules on a small VPS, /var/log/audit/audit.log grew to 2 GB in eight hours and I watched the disk fill in real time. The default ruleset is built for compliance audits — …