Day #6 — Log Analysis Basics: Linux Auth Log (SSH Brute-Force Simulation)

🎯 Objective Simulate an SSH brute-force attack and detect it using Linux authentication logs. Learn to spot multiple failed login attempts, identify attacker IP(s), targeted user accounts, and create simple detection rules/alerts.

Overview The attacker (Kali) runs a password-guessing tool (hydra) against an Ubuntu SSH server; the defender examines /var/log/auth.log (or /var/log/secure on RHEL/CentOS) to extract indicators (SRC IP, username list, timestamps) and recommend mitigations.

Safety note (read aloud) Do this only in an isolated lab environment. Never brute-force systems you do not own or have written permission to test.

---

Lab Setup

Systems

• Attacker: Kali Linux (or any Linux with hydra)

• Target: Ubuntu Server (or Debian) with openssh-server

• Logging: rsyslog (default on Ubuntu)

Files to inspect

• Ubuntu/Debian: /var/log/auth.log

• RHEL/CentOS: /var/log/secure

Required packages (target machine)

sudo apt update
sudo apt install openssh-server rsyslog -y   # Ubuntu/Debian
sudo systemctl enable --now ssh

Install hydra (attacker machine)

sudo apt update
sudo apt install hydra -y

---

Lab Simulation — Step-by-Step

A. Prepare the victim (Ubuntu)

1. Ensure SSH is installed and running:

   sudo systemctl status ssh

2. (Optional but recommended) Harden SSH so you don’t expose it later:

   • Edit /etc/ssh/sshd_config:

     • PermitRootLogin no

     • PasswordAuthentication yes (for lab purposes only; set back later)

   • Restart ssh:

     sudo systemctl restart ssh

3. Confirm logging is working:

   ls -l /var/log/auth.log
   sudo tail -n 20 /var/log/auth.log

B. Attacker: Run a controlled brute-force with hydra

Replace 10.0.2.20 and targetuser with your lab target details.

1. Quick test against a single username (password list passwords.txt):

   hydra -l targetuser -P passwords.txt ssh://10.0.2.20 -t 4

2. Test multiple usernames (user list users.txt):

   hydra -L users.txt -P passwords.txt ssh://10.0.2.20 -t 6

3. Low-and-slow attack (reduce threads, add delay):

   hydra -L users.txt -P passwords.txt ssh://10.0.2.20 -t 1 -w 3   # -w is wait between tries

Record the attacker IP (from the Kali VM network) — e.g., 10.0.2.10.

---

C. Observe & collect evidence (defender)

1. Live monitor:

   sudo tail -f /var/log/auth.log

   Look for lines like:

   Nov  5 07:12:34 ubuntu sshd[12345]: Failed password for invalid user admin from 10.0.2.10 port 53872 ssh2
   Nov  5 07:12:35 ubuntu sshd[12346]: Failed password for user root from 10.0.2.10 port 53873 ssh2

2. Quick grep for attacker IP:

   sudo grep "10.0.2.10" /var/log/auth.log | tail -n 50

3. Extract representative log lines — pick 3–6 lines showing repeated failures from same SRC with timestamps and usernames.

---

Log Analysis — Commands & Heuristics

Count failed attempts per IP (how noisy)

sudo awk '/Failed password/ { match($0, /from ([0-9.]+)/, a); print a[1] }' /var/log/auth.log | sort | uniq -c | sort -nr

Interpretation: top result = most attempts → likely attacker.

Count unique usernames attempted per IP (target diversity)

sudo awk '/Failed password/ { match($0,/from ([0-9.]+)/,a); match($0,/for (invalid user )?([^ ]+)/,b); print a[1]","b[2] }' /var/log/auth.log | sort | uniq | awk -F, '{ ips[$1]++ } END { for (i in ips) print i, "unique_usernames:" ips[i] }'

Rate-based alert: alert if >20 failures in last 200 lines

sudo tail -n 200 /var/log/auth.log | awk '/Failed password/ { match($0,/from ([0-9.]+)/,a); print a[1] }' | sort | uniq -c | awk '$1>20{print "ALERT: " $2 " has " $1 " failed logins"}'

User-focused view (who's being targeted)

sudo awk '/Failed password/ { match($0,/for (invalid user )?([^ ]+) from/,b); print b[2] }' /var/log/auth.log | sort | uniq -c | sort -nr

This shows which usernames are being tried most often (e.g., root, admin).

---

What to capture as evidence (deliverables)

1. 2–5 auth.log excerpts that prove the brute-force (same SRC, repeated Failed password, timestamps). Example:

   Nov  5 07:12:34 ubuntu sshd[12345]: Failed password for invalid user admin from 10.0.2.10 port 53872 ssh2
   Nov  5 07:12:35 ubuntu sshd[12346]: Failed password for root from 10.0.2.10 port 53873 ssh2

2. Hydra output (screenshot or hydra.txt) showing attempted usernames/passwords.

3. Short summary (one paragraph): attacker IP, time window, usernames targeted, heuristic used (e.g., >20 failures in 5 minutes), and immediate action taken.

4. Optional: output from the Python parser or awk counts.

---

Detection Heuristics (simple & practical)

• High attempt rate: same IP generating > X failed logins within Y minutes (example: >20 failures in 5 minutes).

• User diversity: single IP trying many different usernames (e.g., >5 unique usernames).

• Sequential port change: if attempts come from many ephemeral source ports in quick succession — typical of automated tools.

• Invalid user: many invalid user entries implies brute-force against non-existent accounts.

Choose thresholds that match your lab (conservative for noisy environments, tighter for low-noise servers).

---

Immediate Mitigations (commands)

1. Block the attacker IP with ufw or iptables:

   sudo ufw deny from 10.0.2.10
   # or
   sudo iptables -A INPUT -s 10.0.2.10 -j DROP

2. Enable SSH rate-limiting with UFW:

   sudo ufw limit ssh/tcp

3. Install & configure fail2ban:

   sudo apt install fail2ban -y
   # create /etc/fail2ban/jail.d/sshd.local with appropriate rules
   sudo systemctl enable --now fail2ban

4. Disable password auth and use key-based auth (after you finish the lab):

   • In /etc/ssh/sshd_config: PasswordAuthentication no then sudo systemctl restart ssh.