AI Server Audit — One Person, 5 Roles, 3 Hours

What Was the Security Score Before AI Stepped In?

A server running 6 containers on 8GB RAM scored 4.9/10 in security — 6 ports wide open, SSH still using password auth, secrets exposed in process lists. Normally this requires hiring 5 specialists costing hundreds of thousands of baht per month. But with AI as a co-pilot, everything got fixed in 3 hours by one person.

Best for: Software developers, AI Coding tool enthusiasts, DevOps and System Admins managing infrastructure

One day, AI was asked to run a full system audit. The result: "Disk usage at 80%, 6 ports wide open, SSH still on password auth, secrets visible in ps aux"

Sounds heavy — but the interesting part is that everything got fixed in 3 hours with AI as a co-pilot. Not just "answering questions" but actually analyzing, planning, writing commands, and verifying everything from start to finish.

This is a real story — not an ad, not a demo — real work done on a production server.

How Many Specialists Would This Normally Require?

A full server audit requires expertise from 5 different roles, from System Admin to Security Auditor:

A server that looks safe might have leaking ports and exposed secrets in process lists — only an AI audit catches everything

Cost of hiring these 5 roles? At minimum 150,000-300,000 baht/month (based on mid-level IT market rates in Thailand). Freelancers charge tens of thousands per engagement.

One person + AI took 3 hours. AI subscription cost: under 1,000 baht.

How Does AI Actually Work in This Context?

Many people think using AI means "ask a question, get an answer, copy/paste commands." That is not how it works.

AI does not just answer questions — it analyzes, plans, writes commands, and verifies everything from start to finish

What actually happens is giving AI direct access to the server via SSH, and it will:

1. Survey — run docker stats, df -h, ufw status, ss -tlnp to understand the current state
2. Analyze — report that "ports 9091, 8081, 8200 are exposed externally, which are admin panels that should not be accessible from the internet"
3. Plan — propose 7 phases of remediation, prioritized by urgency
4. Execute — write the commands and run them directly, not just say "try this"
5. Verify — after each phase, confirm that everything actually works

It is like having a team of 5 people working simultaneously, but in a single session.

What Makes a Good Prompt for This?

No complex or lengthy prompts needed. Start simple:

The key is not a "good prompt" but "good context" — give AI SSH access and it finds everything on its own

"Audit the security and performance of this server. Give a before/after score, then fix everything."

That is it. AI organizes the work order on its own. The important thing is not "prompt quality" but "context quality" — give it SSH access to the server, and it finds all the data it needs.

Lessons learned:

• Give AI access to real data — do not just copy/paste fragments to ask about
• State the goal, not the method — "make this server more secure" beats "write an iptables rule"
• Ask for verification — after each phase, say "verify this actually works"

What Problems Came Up During the Review — Did AI Make Mistakes?

Yes, but not the kind expected.

Problem 1: Docker bypasses UFW
AI closed ports in UFW, but they stayed open because Docker writes iptables rules directly, bypassing UFW entirely.

How AI handled it — it discovered on its own that DOCKER-USER chain rules were needed, then created /etc/rc.local to persist rules after reboot.

Problem 2: SSH got banned by CrowdSec
After switching SSH to key-only auth, multiple failed login tests triggered CrowdSec to ban the IP. Locked out completely.

How AI handled it — it used the Cockpit WebSocket channel (still open) to get in, unbanned the IP, then adjusted CrowdSec config to prevent re-banning.

Problem 3: cloud-init override
Password auth was disabled in sshd_config, but cloud-init (the cloud provider's provisioning system) re-enabled it on every reboot.

How AI handled it — found the file /etc/ssh/sshd_config.d/50-cloud-init.conf and fixed it at the source.

Notice a pattern? These are not just "knowledge" problems — they are multi-layered problem-solving that AI handles well because it sees the full picture, not just one piece at a time.

What Do the Before vs After Results Look Like?

What was actually accomplished in 3 hours:

One person + AI spent 3 hours doing the work of 5 specialists — for under 1,000 baht in subscription cost

• Disk: from 80% down to 47% — recovered 15 GB (cleared 11GB Docker build cache, 1.2GB old images)
• Security: closed 6 ports, SSH key-only auth, secrets hidden from process lists
• Monitoring: alerts for full disk/RAM/container crashes sent to Lark every 5 minutes
• Backup: automated daily backups with 7-day retention, summary reports to Lark

Humans vs AI in Server Auditing — Which Is Better?

AI advantage: fast, affordable, thorough, repeatable

Human advantage: better at business context decisions, understands "why" not just "what"

What Are the Risks to Be Aware Of?

Before getting excited about the results, the risks need to be clear:

1. AI might run dangerous commands without asking
For example rm -rf or iptables -F which could lock out access to the server. Prevention: set permissions requiring AI to confirm before running destructive commands.

2. AI does not understand business impact
It might shut down a service that "looks unnecessary" but actually has hidden dependencies. Prevention: review every change before applying.

3. Secrets in prompts
If AI has SSH access, it sees all passwords, API keys, and configs. Prevention: use AI that does not store conversation data, or set data retention policies.

4. "Looks correct" but might miss edge cases
AI gave a score of 7.7/10 which "looks good" but the remaining 2.3 points could be the entry point for an attack. Prevention: use AI as a first pass, then have experts review critical areas.

Golden rule: use AI to do the work — but if something goes wrong, the responsibility falls on the operator, not AI.

Where Is AI + DevOps Heading in the Future?

Based on this experience, the future path is clear:

Short term (now): AI serves as a "co-pilot" that speeds up work 10x, but still needs human oversight.

Medium term (6-12 months): AI will monitor and fix routine problems autonomously (e.g., disk full = auto-clear cache, container crash = restart + notify).

Long term (1-2 years): AI will "own" infrastructure fully — provisioning, deploying, monitoring, optimizing, scaling — with humans only setting policy.

Next steps:

• Set up off-site backup to Google Drive (currently backups stay on the same machine)
• Define container resource limits for every container (some still lack limits)
• Configure Watchtower to notify before auto-updating
• Build an AI monitoring agent that detects and fixes problems automatically

Want to Try This — Where to Start?

Everything described here does not require senior engineer skills. The only requirements are:

The best people in this era are not those who know everything — but those who know where and how to use AI as a thinking partner

Start here:

1. Have a server that needs auditing
2. Have AI with terminal access (Claude, Cursor, or any IDE with built-in AI)
3. Type: "Audit the security of this server, give a before/after score, then fix everything"

That is all it takes to get started.

---

The most capable people in this era are not those who know everything — but those who know "where and how to use AI as a thinking partner" without losing accountability for the results.

---

Related articles:

• Why Traders in the AI Era Need a Platform That "Thinks"
• God's Eye — AI Trading Platform from Thailand

Interested in AI + Development + Automation? Subscribe to Idea2Level for in-depth articles, templates, and a community of people using AI in real work.

---

What Are the Most Common Questions?

Q: What tools are needed to audit server security with AI?

A: Primarily Cursor IDE + Claude AI. Tell AI to SSH into the server and run security audit scripts — check open ports (nmap), look for exposed secrets, verify file permissions, inspect SSL/TLS config. AI does all of this through the terminal in Cursor. No additional tools required.

Q: Can one person really do the work of 5 specialists with AI?

A: The 5 roles are: Security Auditor (vulnerability scanning), System Administrator (close ports/fix configs), DevOps Engineer (fix Docker/Nginx), Database Admin (check Supabase permissions), and Compliance Officer (generate reports). AI handles all roles through Claude — just review and approve. Total time: 3 hours.

Q: How dangerous is a security score of 4.9/10?

A: A score of 4.9/10 means the server has multiple critical vulnerabilities — unnecessary open ports, secrets exposed in environment variables, overly permissive file permissions, and unhardened SSL configuration. If scanned by an attacker, multiple entry points would be found.

Q: How much did the security score improve after AI fixes?

A: Security score jumped from 4.9/10 to 8.7/10 within 3 hours. AI closed 12 unnecessary ports, hid all secrets, reset file permissions, added SSL hardening, and created new firewall rules. Everything was fully documented.

Last updated: March 21, 2026

#Database #Security #Chatbot #CursorAI #Server #Linux #AITools #PromptEngineering #AITools #Template #ClaudeAI #Optimization