Sign in Subscribe

How I Monitored and Tracked Unwanted Access Attempts on My Server Using Daemons, Logs, and Python Scripts

Last updated on 
Hacker trying to track server

When managing a server , especially one that’s exposed to the internet , knowing how to monitor and track access attempts is crucial.

I recently found myself needing to check how many people were trying to access my server and what their IP addresses were.

Over time , I’ve learned a variety of methods to monitor these attempts , including using a combination of system commands , custom scripts and log tracking.

In this post, I’ll take you through everything I did to successfully monitor my server and generate detailed logs, all while learning key lessons along the way.

Step1 : Checking Who Is Trying to Access My Server

At some point , every server administrator needs to know who’s trying to connect to their system.

The fist step in this journey was to identify the number of active or failed login attempts.

After all , the more you know about who is trying to access your server, the better you can secure it.

For checking the current and previous login attempts, I ran the following command:

sudo netstat -an | grep ':22' | grep 'ESTABLISHED'

This command shows you a quick overview of the SSH connections op port 22 (SSH Default Port).

It helps in identifying active sessions. If you’re looking to monitor failed attempts , the auth.log file is your friend.

To see failed login attempts, I ran:

sudo cat /var/log/auth.log | grep 'Failed'

This command filters out the failed SSH login attempts, which are very useful for spotting brute force or unauthorized login attempts.

Step 2 : Tracking IPs with a Custom Script for Continuous Monitoring

If you’ve managing a server that might have 24/7 access attempts , it’s essential to automate the monitoring process.

I decided to create a daemon that would track all IPs trying to connect to my server , logging them in a file.

This allowed me to have an ongoing log of who was trying to connect , whether successfully or not.

Here’s the script I’ve created to monitor these attempts. This one runs in a background daemon and continuously appends any failed login attempts to a log file:

#!/bin/bash

# Daemon to track failed login attempts
LOG_FILE="/home/your-path/failed_logins.log"
DATE=$(date "+%Y-%m-%d %H:%M:%S")
FAILED_ATTEMPTS=$(sudo cat /var/log/auth.log | grep 'Failed' | tail -n 10)

# Logging the failed attempts
echo "$DATE: $FAILED_ATTEMPTS" >> $LOG_FILE

This script simply reads the last few failed login attempts , adds a timestamp and logs them into a file named failed_logins.log .

I saved this script as track_failed_logins.sh inside the /home/your-path/ directory.

Step 3 : Automating the Script to Run 24/7

One of the challenges I occured so far was ensuring this script ran continuously without any interruptions.

After a bit of research , I realized that using cron for regular execution was the best way.

For this , I created a cron job that would run the script every minute , ensuring it would constantly append new failed login attempts to the log.

First , I added following cron entry:

* * * * * /bin/bash /home/your-path/track_failed_logins.sh

This tells the system to run the track_failed_logins.sh scrpt every minute.

As a result , every time the cron job executes , any failed login attempts will be added to the log file.

Step 4 : Running the Script with Daemon

If you prefer having your script running as a true background process , you can also use tmux to ensure the script stays running.

I used tmux to create a session that runs the script in the background:

  1. Start a tmux session:
tmux new-session -d -s tracking-session

2. Run the script within tmux:

tmux send-keys -t tracking-session "/bin/bash /home/your-path/track_failed_logins.sh" C-m

3. Detach from the session:

tmux detach

This allows the script to run in the background without being interrupted , even if the terminal session is closed.

Step 5 : Analyzing the Logs

With the cron job running and the daemon active , I now had a flowlessly updated log of failed login attempts.

To analyze these logs , I simply examined the failed_logins.log file, which would show the date , time and IP address of the failed login attempts:

cat /home/your-path/failed_logins.log

As you check the output , it gives us a clear view of the IPs that were trying to break into the system.

I used the following command to count how many times each IP had failed to login:

cat /home/your-path/failed_logins.log | grep 'Failed' | awk '{print $NF}' | sort | uniq -c

This command sorts the log and counts the unique IPs, Helping me quickly spot any suspicious patterns or repeated attempts from the same address.

Step 6 : Securing the server and Acting on the Logs

Once I had a detailed log of all the IPs trying to access to my server , the next step was to work on that information.

If I noticed any suspocious activity , like repeated failed login attempts from a specific IP , I could easily block that IP using iptables command:

sudo iptables -A INPUT -s [IP_ADDRESS] -j DROP

This blocked that IP address from the connecting to the server as soon as possible , so protect server for further malicious attempts.

Bonus: Using a Daemon to Monitor and Block Malicious SSH Attempts

In interviews with highly experienced candidates , I sometimes hear answers that go beyond AWS configuration.

One of the best examples I’ve seen is setting up a daemon that monitors SSh logs and automatically blocks suspocious IPs.

This tell me the candidate in not only good with AWS but also understands how to secure Linux systems in real-world environments.

First Create the Sysyemd service for the Daemon to run your Python SSH blocker script:

sudo nano /etc/systemd/system/ssh_blocker.service

Paste This :

[Unit]
Description=SSH Blocker Daemon
After=network.target

[Service]
ExecStart=/usr/bin/python3 /home/your-path/ssh_blocker/ssh_block_daemon.py
Restart=always
User=your-user
Group=your-group

[Install]
WantedBy=multi-user.target

Then Reload and Enable the Service

sudo systemctl daemon-reload
sudo systemctl enable ssh_blocker.service
sudo systemctl start ssh_blocker.service

Check if Server is Running:

sudo systemctl status ssh_blocker.service

If script is designed to log blocked IPs , you can verify it’s working with this :

sudo cat /var/log/ssh_blocked_ips.log

# or 

sudo journalctl -u ssh_blocker.service -f

Candidates who bring this up without being prompted stand out immediately.

Conclusion: The Power of Automation and Continuous Monitoring

By combining system-level commands , custom scripts and cron jobs , I was able to create an automated system that not only logs failed login attempts but also allows me to take action immediately when needed.

As a server administrator , you’ll always face security risks and threats, but having a continuous monitoring system in place can make a huge difference.

If you’re managing a server , whether it’s a personal project or a business-critical system , implementing automated monitoring and tracking is a essential skill.

You don’t need to be a security expert to get started — just a few simple tools , scripts and regular logs analysis can help you a long way in safeguarding your server against unauthorized access.

You can fuel my next data science deep dive by buying me a coffee ☕!