Blue team Use knockd to hide SSH List the arp cache and check if mul­ti­ple IPs routes to the same phys­i­cal adress. Maybe a MitM attack is in progress. More secure development If an attack­er can write files but not direc­to­ries, it could be a good idea to store sen­si­tive files in anoth­er sub­dir. If this…