CTO
Security Audit That Runs Every Morning β 149 Intrusion Attempts Caught on Day One
Key Takeaway
A daily AI-powered security audit runs at 7am, checks everything from firewall rules to SSH brute-force stats, and delivers a color-coded scorecard to Telegram β and on day one, it caught 149 blocked intrusion attempts we didn't even know about.
The Problem
I run 31 AI agents on an AWS Ubuntu server. That server faces the public internet. Every second of every day, someone is probing it.
The problem isn't that attacks happen. The problem is that most people don't know they're happening. You configure your firewall on day one, set up fail2ban, pat yourself on the back, and never look again. Meanwhile, your SSH config drifts. A package update opens a port you didn't expect. fail2ban's jail expires and nobody notices.
Security isn't a one-time setup. It's a daily discipline. And I'm not going to spend 20 minutes every morning running ufw status, checking fail2ban-client status, and scanning for open ports. That's exactly the kind of work an AI agent should do.
The alternative? Hire a security auditor. That's $5,000 to $20,000 per year for periodic reviews β quarterly if you're lucky. I wanted daily. Every single morning. Before I even wake up.
The Solution
Mr.Chief's Healthcheck skill β a security hardening and audit tool that runs as a cron job. It checks every attack surface on the machine, scores each category green/yellow/red, and delivers the results straight to Telegram.
One agent. One cron job. Zero human effort after setup.
The Process
Setting up the daily audit took about 15 minutes. Here's the cron configuration:
bashShow code
# Daily security audit at 7:00 AM CET (6:00 AM UTC)
0 6 * * * mrchief cron run --task "Run full security healthcheck. Check UFW status, SSH configuration, fail2ban statistics, open ports, and package updates. Deliver scorecard to Telegram." --channel telegram
The Healthcheck skill checks these categories on every run:
View details
βββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββ
β Category β What It Checks β
βββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββ€
β Firewall (UFW) β Active, default-deny, allowed ports β
β SSH Configuration β Root login, password auth, port β
β fail2ban β Active jails, banned IPs, ban count β
β Open Ports β Listening services, unexpected ports β
β Package Updates β Unattended-upgrades, pending patches β
β System Integrity β Disk usage, uptime, running services β
βββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββ
The agent runs each check, collects the output, and builds a scorecard:
View details
π Daily Security Audit β March 12, 2026
π’ Firewall: UFW active, default deny, 3 rules
π’ SSH: Root disabled, password auth off, port 22
π’ fail2ban: Active, 149 bans in last 24h
π’ Ports: Only 22 (SSH) and 18789 (gateway) open
π’ Updates: Unattended-upgrades enabled, 0 pending
π’ System: Disk 34%, uptime 47 days
Score: 6/6 β All clear β
That scorecard hits my Telegram at 7:00 AM sharp. Before my first coffee.
The Results
Day one was eye-opening.
| Metric | Value |
|---|---|
| Blocked SSH brute-force attempts (24h) | 149 |
| Unique attacking IPs | 23 |
| fail2ban active bans | 17 |
| Open ports found | 2 (expected) |
| Unexpected services | 0 |
| Security score | 6/6 |
| Time to audit | ~45 seconds |
| Human effort | 0 minutes |
149 brute-force attempts in 24 hours. On a server I'd set up three days earlier. fail2ban was doing its job β every single one was blocked. But I didn't know that until the agent told me.
That's the point. The firewall was working. The bans were happening. But without the daily audit, I was flying blind. Now I see the numbers every morning. If they spike from 149 to 1,400, I know something changed. If a new port appears, I know immediately.
Cost comparison:
| Approach | Cost | Frequency | Coverage |
|---|---|---|---|
| Security auditor | $5,000β$20,000/yr | Quarterly | Point-in-time |
| Automated daily audit | $0 | Daily | Continuous |
The agent doesn't replace a penetration test. But it replaces the day-to-day vigilance that nobody has time for.
Try It Yourself
Sign up for Mr.Chief, enable the Healthcheck skill, and set up the cron:
bashShow code
# Install the healthcheck skill
# Install via Mr.Chief dashboard after signing up at mrchief.ai/setup
# clawhub install healthcheck
# Test it manually first
mrchief run --task "Run security healthcheck and report findings"
# Set up the daily cron
mrchief cron add --schedule "0 6 * * *" \
--task "Run full security healthcheck. Deliver scorecard to Telegram." \
--channel telegram
You'll have a daily security audit running before tomorrow morning.
149 attacks on day one. And that's a quiet day.
Related case studies
Founder
ClawHub: From 15 Skills to 52 in One Afternoon β The Skill Marketplace That Scales Your Agent
Started with 15 bundled skills. ClawHub marketplace got us to 52 in one afternoon. Finance, legal, security, research β here's how we evaluated and installed 37 skills.
Product Manager
Monitoring 100 Competitor Pages for Changes β Weekly Diff Report
An AI agent scrapes 100 competitor pages weekly, diffs them against the previous snapshot, and flags changes. Pricing shifts, new features, team hires β nothing slips through.
Product Manager
Scraping Protected Websites β When web_fetch Hits a Wall
web_fetch fails on Cloudflare-protected and JS-rendered sites. Scrapling's three modes β simple, stealth, dynamic β bypass bot detection. Real results from competitor pricing scrapes.
Want results like these?
Start free with your own AI team. No credit card required.