Member-only story
Why I Set Email Alerts for Every New User Added to My Linux Server (And How You Can Too)
--
Share
Intro: New users being added to a server may seem harmless — especially if you’re managing it solo. But on a shared or internet-facing server, this can be the first sign of a breach. I learned this the hard way after noticing strange sudo activity from a user I never created. Here’s how I now monitor all user creations and how you can set up real-time email alerts on both Ubuntu and Red Hat.
- Why You Should Care About New Users
A newly created user with sudo access can:
- Install malware
- Pivot into lateral movement
- Hide activity using rootkits
Even without sudo, attackers use fake users for persistence — so catching it early is key.
- Monitor /etc/passwd in Real Time Using auditd
Install auditd:
# Ubuntusudo apt install auditd -y
# Red Hatsudo yum install audit -y
Create an audit rule:
sudo auditctl -w /etc/passwd -p wa -k useradd-watch
This tells the system to watch for writes/appends to /etc/passwd.
Top comments (0)