We covered Linux authentication logs, log files locations in Linux, Linux log analysis tools available in Linux and took a case study where we analyzed SSH brute force attack that resulted in server compromise and backdoor installed for persistence.
Offensive Security Certified Professional Study Notes
Understanding Log Files
Log files are records of events committed to a file in a list format. They can include all sorts of information about events that happened at a particular time. Every device on the network creates log files, thus giving you a history of what’s been happening.
Logs typically contain five headed-up areas. They are:
- Timestamp –the time of the event.
- Log level – how severe or important the event is.
- Username– who caused the event.
- Service or application – what caused the event.
- Event description – what has happened.
Linux Authentication Logs
var/log/auth.log
The authentication log contains information
related to successful and unsuccessful logins in addition to the commands executed after a session is opened due to successful authentication.
/var/log/wtmp
History of login and logout activities.
Linux Logs Analysis
Example commands used in analyzing Linux authentication logs:
Auditing authentication logs
tail /var/log/auth. log
grep -i "fail" /var/log/auth. log
Listing stats about services used in authentication
cat auth.log | cut -d' ' -f 6 | cut -d[ -f1 | sort | uniq -c | sort -nr
Viewing stats about failed login attempts sorted by user
cat auth.log | grep Failed | cut -d: -f4 | cut -d' ' -f5- | rev | cut -d' ' -f6- | rev | sort | uniq -c | sort -nr
Viewing successful authentication logs
cat auth.log | grep Accepted
View currently logged in users
utmpdump wtmp
Brute Force Attacks Detectio By Analyzing Linux Authentication Logs
Brute force attacks result in a lot of faield login attempts which can be viewed using the commands shown above. If these failed login attempts result in successful brute force attack is manifested, it will be followed by successful login attempts shown in auth.log.
Video Walkthrough | SSH Brute Force Attacks Analysis