Day-4: Log Analysis Basics — Detect Network Port Scans with UFW

Challenge Description

In this hands-on lab you will simulate reconnaissance activity from an attacker VM (Kali) against a victim VM (Ubuntu) and use the victim’s UFW logs to detect, analyze, and document the activity. The exercise focuses on network-level log interpretation rather than packet capture or deep host forensics: you will configure UFW logging on the Ubuntu victim, run one or more controlled scanning probes from Kali (fast scan, focused HTTP probe, and a low-and-slow scan), and extract evidence from /var/log/ufw.log to demonstrate detection.

Your deliverable is a concise investigation, screenshots or excerpts of relevant ufw.log lines that show the scan activity, a short summary identifying source IP(s), ports targeted, and timestamps, and a one-paragraph conclusion with recommended immediate actions. The challenge emphasizes reproducible steps, clear evidence mapping (which log line proves what), and application of simple detection heuristics (thresholds, port diversity, or rate). All testing must be performed in an isolated lab environment you control.

Success criteria (what “done” looks like):

UFW logging is enabled and producing entries in /var/log/ufw.log.
At least one simulated scan from the attacker generates visible UFW BLOCK/UFW ALLOW entries on the victim.
You can point to 2–5 ufw.log lines that, together, prove a port-scan pattern (same SRC, many DPTs or many blocked SYNs in short time).
Your short summary correctly identifies the attacker IP, time window, ports scanned (or port ranges), and a recommended immediate mitigation (e.g., block IP, enable rate-limit, add fail2ban)

Background & Detection Concepts

An attacker (Kali) performs network reconnaissance against a victim (Ubuntu). Reconnaissance commonly uses port scans and simple HTTP probes to discover listening services. The victim uses UFW (Uncomplicated Firewall) on Linux to log network attempts to /var/log/ufw.log

Why UFW logs are useful

Host-level insights (shows which ports the system saw attempted connections on).
Lightweight and available on most Ubuntu systems.
Good for initial detection and triage before deeper packet capture or IDS.

Lab — Practical Simulation

Assumptions Kali attacker IP: 10.0.2.10 (replace) Ubuntu victim IP: 10.0.2.20 (replace) Ubuntu interface: eth0 (adjust if different) Perform all actions in an isolated lab only.

A. Preparation (on Ubuntu victim) — make logs actionable

Update and ensure UFW + rsyslog installed:

sudo apt update
sudo apt install ufw rsyslog -y

Set UFW defaults, allow SSH so you don't lock out:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp

Enable verbose logging so relevant kernel messages are written:

sudo ufw logging high

Enable UFW:

sudo ufw enable
sudo ufw status verbose

Confirm log file exists and view recent lines:

ls -l /var/log/ufw.log
sudo tail -n 50 /var/log/ufw.log

If ufw.log is absent, verify rsyslog is running: sudo systemctl status rsyslog.

B. Attacker (Kali) — controlled scanning probes

Fast SYN port-scan (common recon):

nmap -sS -p1-1024 -T4 -oN nmap_fast_scan.txt 10.0.2.20

HTTP-focused probe (common service discovery):

nmap -p 80,443,8080,8000 --open -sS -T4 -oN nmap_http_ports.txt 10.0.2.20

Low-and-slow stealth scan (evade naive thresholds):

nmap -sS -p1-200 -T1 --scan-delay 1s -oN nmap_stealth.txt 10.0.2.20

C. Observe & collect evidence (on Ubuntu victim)

1) Live monitoring

sudo tail -f /var/log/ufw.log

Look for lines containing [UFW BLOCK] or [UFW ALLOW] with SRC= and DPT=.

2) Quick grep for attacker IP:

sudo grep "SRC=10.0.2.10" /var/log/ufw.log | tail -n 50

3) Extract representative log lines (for submission)

Pick 2–5 lines that together show the pattern (same SRC, multiple DPTs or many SYN flags). Example of the form you will capture:

Nov  2 12:34:56 ubuntu kernel: [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=10.0.2.10 DST=10.0.2.20 PROTO=TCP SPT=49212 DPT=80 SYN ...

D. Analysis commands — quick detective work

Counts per source IP (how noisy is each host)

sudo awk '/UFW/ && /SRC=/ { match($0, /SRC=([0-9.]+)/, a); ip=a[1]; counts[ip]++ } END { for (i in counts) print counts[i], i }' /var/log/ufw.log | sort -nr

Unique destination ports per source (port diversity)

sudo awk '/UFW/ && /SRC=/ { match($0, /SRC=([0-9.]+)/, a); match($0,/DPT=([0-9]+)/,b); print a[1]","b[1] }' /var/log/ufw.log | sort | uniq | awk -F, '{ips[$1]++} END { for(i in ips) print i, "unique_ports:" ips[i] }'

Alert one-liner: >20 blocked attempts in last 200 lines

sudo tail -n 200 /var/log/ufw.log | awk '/UFW BLOCK/ && /SRC=/{ match($0,/SRC=([0-9.]+)/,a); print a[1] }' | sort | uniq -c | awk '$1>20{print "ALERT: " $2 " has " $1 " blocks"}'

Simple Python summary (counts per IP)

Save as parse_ufw.py:

#!/usr/bin/env python3
import re
fn="/var/log/ufw.log"
pat = re.compile(r"SRC=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)")
counts={}
with open(fn) as f:
  for line in f:
    if "UFW" in line:
      m=pat.search(line)
      if m:
        counts[m.group(1)] = counts.get(m.group(1),0)+1
for ip,c in sorted(counts.items(), key=lambda x: x[1], reverse=True):
  print(f"{ip}: {c} attempts")

Run with: sudo python3 parse_ufw.py

E. Evidence & write-up (what to capture for submission)

Log excerpts: 2–5 ufw.log lines that show SRC, DPT, timestamp and action (BLOCK/ALLOW).
Attacker output: nmap output file or screenshot (e.g., nmap_fast_scan.txt).
Short summary (one paragraph): state the attacker IP, time window, ports scanned (or pattern), and immediate action taken.

Investigation template (short):

Title: Port-scan detected — Day 4
Timeline: first and last log timestamps you observed.
IoCs: SRC=10.0.2.10, ports: 80,22,443,... (list observed DPTs).
Action taken: e.g., sudo ufw deny from 10.0.2.10 and sudo ufw limit ssh/tcp.
Next steps: consider fail2ban, ship logs to SIEM, deeper packet capture if suspicious.

F. Remediation commands (immediate)

Block IP:

sudo ufw deny from 10.0.2.10

Rate-limit SSH as a hardening example:

sudo ufw limit ssh/tcp

Consider installing and configuring fail2ban with a custom filter on /var/log/ufw.log for automation.

PreviousDay 3: Windows PowerShell Log Lab NextDay 5: Windows Defender Antivirus Log Analysis

Last updated 4 months ago

hashtagChallenge Description

hashtagBackground & Detection Concepts

hashtagLab — Practical Simulation

hashtagA. Preparation (on Ubuntu victim) — make logs actionable

hashtagB. Attacker (Kali) — controlled scanning probes

hashtagC. Observe & collect evidence (on Ubuntu victim)

hashtag1) Live monitoring

hashtag2) Quick grep for attacker IP:

hashtag3) Extract representative log lines (for submission)

hashtagD. Analysis commands — quick detective work

hashtagCounts per source IP (how noisy is each host)

hashtagUnique destination ports per source (port diversity)

hashtagAlert one-liner: >20 blocked attempts in last 200 lines

hashtagSimple Python summary (counts per IP)

hashtagE. Evidence & write-up (what to capture for submission)

hashtagF. Remediation commands (immediate)