I Tried Breaking Into My Own Linux Server — Here’s What I Learned About Real-World Security

Intro:

They say the best way to secure your server… is to try hacking it. So I did. I set up a fresh Linux box, installed a simple Nginx site, and tried every trick I could think of to break in. Here’s what worked, what didn’t, and the defenses I’ll never skip again.

1. My Test Setup

• OS: Ubuntu Server 22.04
• Services: SSH, Nginx
• Public IP via DigitalOcean
• No initial firewall — just raw exposure

2. What I Tried (As the Attacker)

• Port scanning with nmap
• Checking open services with ss -tuln
• Brute-force SSH using hydra (against intentionally weak creds)
• Directory busting with gobuster on the Nginx web root
• Injecting payloads via GET requests

3. What Actually Worked (Yikes)

• SSH login with default password (because I forgot to change it 🙈)
• Sensitive file exposed in /var/www/html/test_config.txt
• No brute force protection = unlimited SSH tries