I have a VPS out there which over time has become a repetitive problem with hack / something getting into container / misuse thereafter. Big picture unsure why. Previously isolated post-event to PHP compromise. Scrapped PHP and went different direction and months later, a second compromise. Container is literally empty and no fun for anyone. Contemplating turning it into a honeypot to draw out the activity on said network and see if I can learn more (may go that route). Big question though, because this must happen quite a bit to VPS providers here - What do you recommend to VPS customers to monitor activity of their VPS instances? What tools should customers be running in containers to try to get ahead of problems like this before your network level monitors or other reporting externally label the IP for external abuse? Nature of this now twice was exploit used in common software stack with all current updates and then perps used such to send email spam.