Check Whether Databases Listen Publicly
The fastest database security check is the listening address.
ss -ltnp | awk '$4 ~ /:(5432|3306)$/ {print}'
topic
Cybersecurity Triage
Defensive commands for checking exposure, logs, permissions, and suspicious activity.
69 checked fixes
Commands in this topic
Simulate Security Package Upgrades
Security patch triage starts by seeing what apt would change, without changing it.
apt-get -s upgrade | awk '/^Inst/ && /security/ {print}'
Prove a Package Candidate Is From Security
The package name is not enough; the candidate repository tells the patch story.
apt-cache policy openssl | sed -n '/Installed:/p;/Candidate:/p;/security/p'
Find Held Packages Blocking Patches
A held package can quietly keep a security update out of production.
apt-mark showhold | sed 's/^/held: /'
Review Kept-Back Packages Before Patching
Kept-back packages are where simple upgrade plans stop being simple.
apt-get -s upgrade | sed -n '/kept back:/,/^Inst/p'
Dry-Run Unattended Security Upgrades
Unattended upgrades can explain what they would patch before they patch it.
unattended-upgrade --dry-run --debug 2>&1 | sed -n '/Packages that will be upgraded:/,/^$/p'
Find Services Needing Restart After Patches
A patched library does not protect a process still using the old one.
needrestart -b | sed -n 's/^NEEDRESTART-SVC: //p'
Build a Recent Apt Patch Timeline
Apt history turns patch claims into timestamps and package names.
awk '/^(Start-Date|Commandline|Upgrade|End-Date)/ {print}' /var/log/apt/history.log
Find Warnings in Apt Terminal Logs
The package installed, but the terminal log may still contain the warning that matters.
grep -Ei 'warning|error|failed|dpkg' /var/log/apt/term.log
Preview Security Impact of dist-upgrade
Kernel and dependency security fixes may only appear in the broader upgrade plan.
apt-get -s dist-upgrade | awk '/^Inst/ {print}'
Check Whether Patches Require Reboot
Some security fixes are not complete until the host boots the new kernel or libraries.
test -f /var/run/reboot-required && printf 'reboot-required\n' && cat /var/run/reboot-required.pkgs
Extract Environment Names Only
Audit environment labels without printing secret values.
grep -RhoE 'ENVIRONMENT|NODE_ENV|APP_ENV|RAILS_ENV' config deploy | sort -u
Inspect Container Environment Names
Check what environment variables exist without printing their secret values.
docker inspect --format '{{range .Config.Env}}{{println .}}{{end}}' api | sed 's/=.*$/=<redacted>/'
Review Recent Docker Events
Docker keeps a recent event trail for starts, stops, pulls, and health changes.
docker events --since 30m --until 0s
Read UFW Policy Verbosely
The firewall was active, but the defaults mattered more than the rule list.
ufw status verbose
List Numbered UFW Rules
Numbered rules make firewall review less ambiguous.
ufw status numbered
Show the nftables Input Chain
The packet path was hiding below UFW.
nft list ruleset | sed -n '/chain input/,/}/p'
Show iptables INPUT Rules
Legacy firewall state can still explain live exposure.
iptables -S INPUT
List Listening TCP Sockets
Firewall rules matter after you know what is listening.
ss -ltnp
Show Publicly Bound Listeners
Localhost services are different from public listeners.
ss -ltnp | awk 'NR==1 || $4 ~ /^(0[.]0[.]0[.]0|[[]::[]]|[*]):/'
Find Allowed Ports with No Listener
An open firewall rule can outlive the service it was created for.
comm -23 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '/LISTEN/ {n=split($4,a,":"); print a[n]}' | sort -u)
Find Public Listeners Not Allowed by UFW
The process was public, but the firewall did not mention it.
comm -13 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '$4 ~ /^(0[.]0[.]0[.]0|[[]::[]]|[*]):/ {n=split($4,a,":"); print a[n]}' | sort -u)
Check Whether SSH Is Publicly Bound
SSH can be locked down by source and still bind publicly.
ss -ltnp | awk '$4 ~ /:22$/ && $4 !~ /^127[.]/ {print}'
Show Local-Only Database Listeners
The database was listening, but only on localhost.
ss -ltnp | awk '$4 ~ /^127[.]0[.]0[.]1:(5432|3306|6379)$/ {print}'
Redact Secret-Looking Log Lines
Incident notes should not copy secrets forward.
grep -RInEi '(password|token|secret|authorization)' /var/log/app /var/log/deploy.log 2>/dev/null | sed -E 's/((password|token|secret)[[:space:]]*[:=])[[:alnum:]_.-]+/\1REDACTED/Ig; s/([Aa]uthorization[[:space:]]*:[[:space:]]*[Bb]earer[[:space:]]+)[[:alnum:]_.-]+/\1REDACTED/g'
Find Writable Directories Missing the Sticky Bit
A writable log directory is not the same thing as a safe shared directory.
find /srv/www/example -type d -perm -0002 ! -perm -1000 -printf '%m %u:%g %p\n' 2>/dev/null | sort
Find SUID, SGID, and Sticky Bits in an App Tree
Special bits are easy to miss in a long ls listing.
find /srv/www/example -perm /7000 -printf '%M %m %u:%g %p\n' 2>/dev/null | sort
Find World-Readable Secret-Looking Files
The fastest secret audit starts with readable files that look like secrets.
find /srv/www/example -type f -perm -0004 \( -iname '*secret*' -o -iname '*.env' -o -iname '*token*' -o -iname '*key*' \) -printf '%M %u:%g %p\n' 2>/dev/null | sort
Find Config Files with Execute Bits
Config files do not usually need to be executable.
find /srv/www/example -type f -perm /111 \( -path '*/config/*' -o -name '*.env' -o -name '*.conf' \) -printf '%M %u:%g %p\n' 2>/dev/null | sort
Find Upload Files Writable Outside the Owner
Uploads are supposed to be writable at the edge, not writable forever by everyone.
find /srv/www/example/shared/uploads -type f -perm /0022 -printf '%M %u:%g %p\n' 2>/dev/null | sort
Find Listening Ports with ss
Before blaming the firewall, check whether anything is actually listening.
ss -ltnp
Inspect Established Network Connections
Unexpected connections are easier to reason about when you can see them directly.
ss -tan state established
Summarize SSH Auth Outcomes
SSH logs get easier to read once accepted and failed methods are counted.
awk '/sshd/ && /Accepted/ {print "accepted", $7} /sshd/ && /Failed password/ {print "failed", "password"} /sshd/ && /Failed publickey/ {print "failed", "publickey"}' logs/auth.log | sort | uniq -c | sort -nr
Find SSH Password Auth Exceptions
A global password-auth setting can be changed later by a Match block.
awk '/^Match /{ctx=$0} /^PasswordAuthentication|^AuthenticationMethods|^[[:space:]]+PasswordAuthentication|^[[:space:]]+AuthenticationMethods/ {print (ctx ? ctx : "global") ": " $0}' etc/ssh/sshd_config
List SSH Allow and Deny Rules
SSH access can be shaped by users, groups, and Match blocks.
grep -RhnE '^(AllowUsers|AllowGroups|DenyUsers|DenyGroups|Match )' etc/ssh
Inventory SSH authorized_keys
authorized_keys files are the practical list of who can use key-based SSH.
find /home -path '*/.ssh/authorized_keys' -exec awk '{print FILENAME, $1, $NF}' {} + 2>/dev/null
List Accepted SSH Login Sources
Successful SSH logins are the access events worth anchoring first.
awk '/Accepted publickey/ {print $1, $2, $3, $9, $11}' logs/auth.log
Show Failed SSH Public-Key Users
A failed public-key attempt often points to stale keys or the wrong account.
awk '/Failed publickey/ {print $9, $11}' logs/auth.log | sort | uniq -c | sort -nr
Summarize SSH Authorized Key Types
Key inventory gets more useful when old key types stand out.
find /home -path '*/.ssh/authorized_keys' -exec awk '{print $1}' {} + 2>/dev/null | sort | uniq -c | sort -nr
Find Loose authorized_keys Modes
SSH key access files should not be looser than intended.
find /home -path '*/.ssh/authorized_keys' -printf '%m %p\n' 2>/dev/null | awk '$1 > 600'
Show SSH Auth Policy Order
The order of Include, Match, and authentication directives changes how SSH policy reads.
grep -nE '^(Include|Match |PubkeyAuthentication|PasswordAuthentication|AuthenticationMethods|[[:space:]]+(PasswordAuthentication|AuthenticationMethods))' etc/ssh/sshd_config
Extract SSH AllowUsers Accounts
AllowUsers turns SSH access into an explicit account list.
awk '/^AllowUsers/ {for (i = 2; i <= NF; i++) print $i}' etc/ssh/sshd_config
List Accounts with Login Shells
Login shells are the first account inventory to review.
awk -F: '$7 ~ /(bash|sh|zsh)$/ {printf "%s %s\n", $1, $7}' /etc/passwd
Find Password-Enabled Accounts
A shell account with an unlocked password hash deserves extra attention.
sudo awk -F: '$2 !~ /^(!|\*)/ {print $1}' /etc/shadow
Review sudo Grants
Privilege paths should be visible before you remove or approve access.
awk -F: '$1=="sudo" {print "sudo group: " $4}' /etc/group; sudo grep -RhnE '^[^#].*ALL=' /etc/sudoers /etc/sudoers.d 2>/dev/null
Count authorized_keys by User
authorized_keys is the practical SSH access list.
find /home -path '*/.ssh/authorized_keys' -exec sh -c 'for f do user=$(basename "$(dirname "$(dirname "$f")")"); keys=$(grep -vc "^[[:space:]]*#" "$f"); printf "%s %s %s\n" "$user" "$keys" "$f"; done' sh {} + 2>/dev/null | sort
Find SSH Keys for nologin Users
A nologin shell does not automatically mean SSH keys are irrelevant.
comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' /etc/passwd | sort) <(find /home -path '*/.ssh/authorized_keys' -printf '%h\n' 2>/dev/null | awk -F/ '{print $(NF-1)}' | sort)
Show Successful Logins and sudo Use
Access reviews need both who logged in and who elevated privileges.
grep -E 'Accepted publickey|sudo:' /var/log/auth.log 2>/dev/null
List Privileged Group Members
Group membership can grant more access than the username suggests.
awk -F: '$1 ~ /^(sudo|adm|docker)$/ && $4 != "" {print $1 ": " $4}' /etc/group
Summarize sudo Commands by User
Privilege history is easier to review when users and commands are separated.
sed -n 's/.*sudo: *\([^: ]*\).*COMMAND=\(.*\)$/\1 -> \2/p' /var/log/auth.log 2>/dev/null | sort
Review a Breakglass Account
Emergency accounts should be easy to find and hard to ignore.
sudo grep -Rhn 'breakglass' /etc /home /var/log/auth.log 2>/dev/null
Find SSH Key Users with sudo
The highest-priority access review starts where SSH keys and sudo overlap.
comm -12 <(find /home -path '*/.ssh/authorized_keys' -printf '%h\n' 2>/dev/null | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' /etc/group | sort)
Count Failed SSH Login Users
Failed SSH attempts are noisy; grouping users makes the pattern readable.
sed -n 's/.*Failed password for \(invalid user \)\?\([^ ]*\) from .*/\2/p' logs/auth.log | sort | uniq -c | sort -nr
Count Failed SSH Login IPs
The loudest SSH source is usually visible with one count.
sed -n 's/.*Failed password .* from \([0-9.]*\) port.*/\1/p' logs/auth.log | sort | uniq -c | sort -nr
Show Accepted SSH Logins
During first response, successful logins matter more than background noise.
grep 'Accepted publickey' logs/auth.log
Show Recent sudo Commands
Privilege use is one of the fastest first-response signals.
grep 'sudo:' logs/auth.log | tail -n 10
List Listening Ports on a VPS
Unexpected network listeners are first-response evidence.
ss -ltnp
List Users with Login Shells
Not every local account should be able to log in.
awk -F: '$7 ~ /sh$/ {print $1, $7}' etc/passwd
Check Key SSH Authentication Settings
SSH policy should be visible before you change it.
grep -nE '^(PasswordAuthentication|PermitRootLogin|PubkeyAuthentication|AllowUsers)' etc/ssh/sshd_config
Find World-Writable Web Directories
World-writable web paths deserve immediate review.
find srv/www -type d -perm -0002 -print
Find Loose Private Key Permissions
SSH private keys should not be readable like ordinary files.
find /home -type f -name 'id_*' -printf '%m %p\n' 2>/dev/null | awk '$1 > 600'
List authorized_keys Files
Authorized keys are the server's practical access list.
find /home -path '*/.ssh/authorized_keys' -printf '%m %p\n' 2>/dev/null
Find the IPs Creating the Most 4xx Noise
One address can turn a normal access log into a wall of failed requests.
awk '$9 ~ /^4/ {count[$1]++} END {for (ip in count) print count[ip], ip}' /var/log/nginx/access.log | sort -nr | head
Spot Unusual HTTP Methods in Access Logs
Most site traffic is boring. The weird methods are worth a look.
awk '$6 !~ /^"(GET|POST|HEAD|OPTIONS)$/ {print $1, $6, $7, $9}' /var/log/nginx/access.log | sort | uniq -c | sort -nr
Count the Most Common User Agents
A strange traffic spike often has a strange user agent.
awk -F'"' '{print $6}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head
Find Common Admin Probe Paths
A site does not need WordPress to receive WordPress-looking probes.
awk '$7 ~ /(admin|login|wp-|phpmyadmin)/ {print $1, $7, $9}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head
Find Paths Repeatedly Returning 404
One missing URL is normal. A repeated missing URL is a signal.
awk '$9==404 {count[$7]++} END {for (path in count) if (count[path] >= 3) print count[path], path}' /var/log/nginx/access.log | sort -nr | head
Spot Request Bursts by Minute
Traffic spikes are easier to read when you bucket them by time.
awk '{minute=substr($4,2,17); count[minute]++} END {for (m in count) print count[m], m}' /var/log/nginx/access.log | sort -nr | head
Find Clients Repeating the Same Path
The suspicious pattern is sometimes one client hammering one URL.
awk '{key=$1 " " $7; count[key]++} END {for (k in count) if (count[k] >= 5) print count[k], k}' /var/log/nginx/access.log | sort -nr | head